Disabling Intel's Management Engine (ME)

[DrMrLordX]

https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/

Makes sense. If the NSA is going to backdoor Intel CPUs, they still need a way to use Intel chips themselves without making themselves vulnerable to their own backdoors.

Expect this to be "fixed" in future CPUs.

Maybe next they can teach us how to . . . secure AMD processors as well.

 

[whm1974]

Correct me if I'm wrong, but the Intel Management Engine is really only useful for system administrators that handle more then just a few computers?

This feature sounds like it not very useful at all for most users and that it is in fact a backdoor in disguise .

 

[DrMrLordX]

That's the general idea . . . that it's an NSA backdoor. One of the reasons why foreign concerns are trying to develop their own hardware platforms and avoid Intel ones.

 

[whm1974]

That looks to be a major reason why several countries such as India are funding development of CPUs using the RISK-V ISA. Since RISC-V is a FOSS specification anybody can look at and use, it has the potential to replace both x86 and ARM.

 

[jihe]

I thought it's in the chipset, not the CPU.

 

[whm1974]

I thought it's in the chipset, not the CPU.

I think it is both.

 

[cytg111]

Just read about this.

YAY

 

[Phynaz]

Jesus people it's not an NSA backdoor. You're not that important.

 

[Phynaz]

I thought it's in the chipset, not the CPU.

Correct

 

[Ken g6]

Jesus people it's not an NSA backdoor. You're not that important.

It's supposed to be a backdoor for system administrators on a corporate network. But a backdoor for someone is a backdoor for everyone who can figure it out.

For those who want to disable it, here's a potential way, but it's not well tested yet.

 

[LTC8K6]

It's supposed to be a backdoor for system administrators on a corporate network. But a backdoor for someone is a backdoor for everyone who can figure it out.

For those who want to disable it, here's a potential way, but it's not well tested yet.

And the disable attempt can have your computer "pining for the fjords".

 

[Phynaz]

That looks to be a major reason why several countries such as India are funding development of CPUs using the RISK-V ISA. Since RISC-V is a FOSS specification anybody can look at and use, it has the potential to replace both x86 and ARM.

RISC-V is to allow CPU's to be developed using common components to reduce development cost - not reinventing the wheel each time. The BSD license that RISC-V is licensed under allows for closed implementations. You can bet that any implementation that will see any successful use will have closed security features.

 

[cytg111]

Jesus people it's not an NSA backdoor. You're not that important.

You may not be. I am.

 

[IEC]

Jesus people it's not an NSA backdoor. You're not that important.

A backdoor can be exploited by anyone. If you think only the NSA can utilize their exploits, you are wrong.

Quite a few nation-state grade exploit toolkits have been leaked this year by the "Shadow Brokers" and other groups.

 

[whm1974]

RISC-V is to allow CPU's to be developed using common components to reduce development cost - not reinventing the wheel each time. The BSD license that RISC-V is licensed under allows for closed implementations. You can bet that any implementation that will see any successful use will have closed security features.

I'm sure there will some open implementations available.

 

[SarahKerrigan]

Correct me if I'm wrong, but the Intel Management Engine is really only useful for system administrators that handle more then just a few computers?

This feature sounds like it not very useful at all for most users and that it is in fact a backdoor in disguise .

Remote management is only one feature. A more consumer-relevant one is DRM - PAVP runs over ME/AMT, afaik. I believe Intel Anti-Theft runs on it as well, but I'm just going off memory for that one.

I seriously doubt the ME was created as a nation-state backdoor, but I would not be shocked to find it's been used as one.

Note, also, that AMD has an equivalent to the ME: the Platform Security Processor.

 

[PottedMeat]

the researcher's technical blog post (layman's history & technical details): http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

that's interesting, intel recently switched to an x86 microcontroller arch running MINIX from an ARCCompact running ThreadX RTOS.

people that used to want AMT disabled dumped the blob firmware, reconstructed it, and tried omitting blocks to see what would work and what wouldn't.
these researchers extracted an xml file from an intel management utility and found a flag that may disable it - how everything is tied together they're still trying to find out.

 

[whm1974]

Remote management is only one feature. A more consumer-relevant one is DRM - PAVP runs over ME/AMT, afaik. I believe Intel Anti-Theft runs on it as well, but I'm just going off memory for that one.

I seriously doubt the ME was created as a nation-state backdoor, but I would not be shocked to find it's been used as one.

Note, also, that AMD has an equivalent to the ME: the Platform Security Processor.

The Anti-Theft feature would probably be the only useful feature for consumers.

 

[SPBHM]

my main concern with it is not "NSA", but it being exploited by hackers in the future
still, there are probably so many easier weak points to exploit before that, so...

 

[Ratman6161]

That looks to be a major reason why several countries such as India are funding development of CPUs using the RISK-V ISA. Since RISC-V is a FOSS specification anybody can look at and use, it has the potential to replace both x86 and ARM.

Not really. Countries like India are trying to jump start their own industries to be less reliant on the west, to include the US.

 

[DrMrLordX]

India is not the only country. Russia has the Elbrus-8S. China has produced multiple MIPS variants.

 

[whm1974]

Not really. Countries like India are trying to jump start their own industries to be less reliant on the west, to include the US.

Well for that reason too as well.

 

[Dufus]

What about the BIOS option to disable ME, does that not do what it says?

 

[Phynaz]

What about the BIOS option to disable ME, does that not do what it says?

You can't disable ME completely, your system won't boot without it. Most likely your BIOS option is to turn off AMT.

 

[Dufus]

Here's an example of a BIOS option
https://www.reddit.com/r/thinkpad/comments/69wlbl/x230_unlocked_bios_has_an_option_to_disable_intel/

I think I tried it some time ago but really my only interests in ME would be for better performance (clocks) and bug fixes.