Researchers have discovered that Intel Management Engine (Intel ME) 11, a dedicated (and non-optional) microcontroller integrated into all Intel chipsets, can be disabled through a publicly undocumented mode.
“Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform,” Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy explained.
Intel ME is a hardware component that runs its own OS, and is loaded with several firmware modules that allow things like remote out-of-band management of personal computers (Active Management Technology), and easy creation of secure cryptographic keys, remote software attestation, authentication of hardware devices, etc.
Obviously, Intel ME can be helpful for system administrators, but many security-minded professionals consider it a possible backdoor into the system, and would like to have the option to shut it off.
Disable Intel ME
For quite some time, analysis of the firmware loaded into Intel ME was a problem for security researchers, as the executable modules are compressed by Huffman codes with unknown tables. But, Skylarov, Ermolov and Goryachy succeeded in recovering these tables, and to unpack the images.
They are planning to release a lot of their findings in the coming days, but in the meantime they shared how Intel ME can be disabled altogether and permanently, thanks to an undocumented mode that had been implemented after the US government requested the option.
Intel confirmed the discovery.
“In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s ‘High Assurance Platform’ program. These modifications underwent a limited validation cycle and are not an officially supported configuration,” the company’s representatives noted.
Instructions on how to switch of Intel ME are included in the researchers’ blog post, along with a disclaimer warning would-be tinkerers that the move may lead to their computers being damaged.
Still, with the recent discovery of a critical vulnerability in Intel Active Management Technology (AMT) that could be exploited to compromise the system, many might decide that it’s worth to take the gamble in order to maximise their system’s security.
Update: Wednesday, August 30, 2017 – 9:50AM PT
Intel spokesperson William Moss reached out to Help Net Security with the following comment:
“Intel does not and will not design backdoors for access into its products and does not participate in any efforts to decrease security of its technology.”