Over the last decade, Intel has been including a tiny little microcontroller inside their CPUs. This microcontroller is connected to everything, and can shuttle data between your hard drive and your network adapter. It’s always on, even when the rest of your computer is off, and with the right software, you can wake it up over a network connection. Parts of this spy chip were included in the silicon at the behest of the NSA. In short, if you were designing a piece of hardware to spy on everyone using an Intel-branded computer, you would come up with something like the Intel Managment Engine.
Last week, researchers [Mark Ermolov] and [Maxim Goryachy] presented an exploit at BlackHat Europe allowing for arbitrary code execution on the Intel ME platform. This is only a local attack, one that requires physical access to a machine. The cat is out of the bag, though, and this is the exploit we’ve all been expecting. This is the exploit that forces Intel and OEMs to consider the security implications of the Intel Management Engine. What does this actually mean?
What the Management Engine Is and Does
Intel’s Management Engine is only a small part of a collection of tools, hardware, and software hidden deep inside some the latest Intel CPUs. These chips and software first appeared in the early 2000s as Trusted Platform Modules. These small crypto chips formed the root of ‘trust’ on a computer. If the TPM could be trusted, the entire computer could be trusted. Then came Active Management Technology, a set of embedded processors for Ethernet controllers. The idea behind this system was to allow for provisioning of laptops in corporate environments. Over the years, a few more bits of hardware were added to CPUs. This was the Intel Management Engine, a small system that was connected to every peripheral in a computer. The Intel ME is connected to the network interface, and it’s connected to storage. The Intel ME is still on, even when your computer is off. Theoretically, if you type on a keyboard connected to a powered-down computer, the Intel ME can send those keypresses off to servers unknown.
In addition to the release of the ME exploit at Black Hat, we’ve learned a lot in the last few weeks. The ME is actually running Minix, a ‘hobby’ or ‘teaching’ operating system created by [Andy Tanenbaum], and the OS that gave birth to Linux. There is a significant discussion of the BSD licensing versus the GPL licensing of Minix and Linux, but that’s an argument for another time.
For several years now, researchers have been investigating the set of chips Intel has included in their latest CPUs. Unfortunately, Intel decided that closed-source was the way to go, and with that security researchers had an idea of what the Intel ME could do, but had no idea how that was done, and whether or not there were any security holes. This week, that wall was breached. Now anyone can execute arbitrary code on the Intel ME with a USB stick.
With the immense problems of the Intel Managment Engine, is there anything a regular joe can do to mitigate the security risks? Is there any way to just turn the ME off? Thankfully yes, with a few caveats.
System76, makers of fine Linux laptops and desktops, have released their own firmware update to disable the ME. Additionally, Dell is now selling a laptop — the ruggedized Lattitude 14 — with the default option of a disabled ME. There is, apparently, a market for the security conscious.
However, if you already own a computer, the chances are that you have a Management Engine somewhere in your box, and it’s running. What are your options, short of buying a new computer? The first step towards removing the ME is to see if it is indeed running. For this, Intel has released a tool to detect a running ME.
However, simply detecting the ME is not enough. You’ll need to disable it. Unfortunately, the implementation of the ME is left up to motherboard manufacturers, and there is no generic way to turn it off. This is perhaps the greatest security threat the ME poses; without a single, simple tool to turn the ME off in any instance, we’re left with only instructions and tutorials on how to disable the ME for individual makes and models of computers.
To that end, some motherboard manufacturers and OEMs have come up with methods to disable the ME in the last week or so, and it’s expected there will be an industry-wide response to this problem, with handy guides on how to disable the ME available from your motherboard OEM.
All of these are incomplete solutions. The recent Evil Maid exploit for the Intel ME, which requires physical presence, only works on ME versions higher than V. 11. While this does exclude all Macs, there’s still the possibility other exploits will be found, affecting earlier versions of the ME. How do you turn the entire thing off?
Unfortunately, you can’t. A computer without valid ME firmware shuts the computer off after thirty minutes. However, the me_cleaner tool does something rather clever: it tricks the ME into thinking it has valid firmware, but in fact does nothing. We took a look at this hack when it was first released, and yes, if you delete the first page of memory from the ME’s ROM, it stops working but still allows your computer to function.
This year’s biggest ‘I Told You So’
The Intel ME is a tiny, obscure piece of hardware locked away in nearly every modern Intel CPU. It’s connected to your storage and your network interface. If someone can access the ME, they own your computer. Right now, the best exploit for the ME — or worst, depending on your point of view — is simply a variation of the Evil Maid scenario. This exploit requires physical access to the device, and we all know physical access is ultimately root access. In this context, and any realistic threat model, the current exploit for the Intel ME is a bit overblown.
Consider this Stage One. The ultimate exploit for the ME is one over the network interface. With that, anyone can own an ME-equipped computer from anywhere on the planet. This exploit does not exist yet, and we know this by the fact there isn’t a new, massive botnet mining Bitcoin.
Until that day comes, we’re only left with the realization that yes, the nerds were right. The idea of the NSA putting hardware in every computer sounds absurd, until you realize it actually happened.
Over the last few decades, the general population has been dragged kicking and screaming in the world of information security. In the 80s, it was as simple as not writing your password down on a Post-It note. In a few years, we’ll get to the conversation about how Alexas and Google Homes are an Orwellian nightmare. Until then, we’ll have to use the Intel ME exploit as another example of how important security is, and how vital it is to listen to the people telling you, “this is bad”. Code that can’t be audited is code that can’t be trusted.