How to Disable the Intel Management Engine Backdoor – Courtesy of the NSA
Security Researchers at Positive Technologies have found a way to disable the Intel Management Engine (ME), a very widely hated component included in Intel CPUs implemented from Intel Core 1st to 7th generation CPUs (2006-2017).
What is Intel ME? It’s a tiny processor inside of Intel CPUs that has its own operating system, with its own processes, threads, memory manager, hardware bus driver, file system, and many other components.
You can think of it kind of like a whole other tiny computer, within your computer.
While it does add some great advantages to manage a corporate IT infrastructure by more easily managing our internal computer infrastructure (including tools that allow system administrators to monitor, maintain, update, upgrade, and repair computers from a remote location). The Intel ME is just a microcontroller embedded on the Platform Controller Hub (PCH), which is the component that handles all communication between the Intel CPU and all of the external devices.
Due to its location all of the data streams that occur on your computer have to pass through the Intel ME, which is how “sysadmins” were able to manage these computers remotely at such a deep system level.
AMD has also had a similar function in their CPUs since 2013 dubbed the Platform Security Processor (PSP), and as of yet have not found a way to disable them.
While many sysadmins, including myself, note how useful the Intel ME can be, it’s also at the same time gained notoriety being dubbed by myself and others as a backdoor (as stated by BoingBoing.net, InvisibleThings.org, and Joanna Rutkowska.
Many have claimed that the Intel ME is a backdoor for government actors or even malicious actors if they find a way into the system. This has definitely become a concern with the disclosure of an extremely devastating Common Vulnerability Exploit (CVE) labeled as CVE-2017-5689.
One cyber attack group, linked to state spying, has already been found using other Intel ME vulnerabilities to avoid firewalls and steal data. These accusations have risen because the software is not Free, Libre, and/or Open Source but rather closed and proprietary from the public; with the firmware undocumented and even compressed in order to hide all of its content.
Intel, of course, has predictably denied all of these.
A post on Slashdot details a list of the major problems with just how bad Intel ME is; here are the major highlights:
- The backdoor is next to impossible to decode and reverse engineer
- The backdoor is active even when the machine is powered off.
- Onboard Ethernet and Wi-Fi is part of the backdoor.
- The backdoor uses encrypted communication.
- Recent backdoors run Java applets.
- Possible attack vectors from Intel, the Central Intelligence Agency, or the National Security Agency (NSA) (who hold the certificate).
- Backdoor within a backdoor. Intel admitted that all Intel Core CPU’s from 1st to 7th generation all share the same vulnerability.
In fact there was such fear that many privacy advocates simply steered clear of Intel CPUs made after 2006 and AMD CPUs made after 2013.
There are dedicated vendors, such as MiniFree, which sell laptops that are refurbished; running a Free, Libre, and Open Source BIOS firmware known as Libreboot to avoid using any proprietary software using older Intel Core 2 CPUs. These are used by well known privacy and Free Software advocates such as Richard Stallman.
In fact the Libreboot BIOS page says the reason they won’t support newer Intel and AMD CPUs is because of these issues. Other solutions to avoid these issues left many privacy advocates to use open source hardware such as the Raspberry Pi, C.H.I.P. and other such development boards to create privacy and security minded computers. I myself even use a Pocket CHIP computer for such reasons when I don’t need a regular x86 laptop for work.
Many have attempted and failed to disable the Intel ME and the AMD PSP.
The fear of simply not knowing what is running inside their computer has lead many computer security experts to dive deep into the hardware and firmware to find ways to disable these components as detailed on these two GitHub pages (here and here), a source and repository for many Free, Libre, and Open Source projects and source code.
The reason everyone, up until now, has failed is because Intel has tied the ME hardware components into the system boot-up processes.
The Intel ME was the one doing the initialization, power management, and launch of the main processor.
Because of the responsibility this component has in modern Intel machines, disabling it was crashing computers. Therefore many IT people resorted to stripping and slimming the ME firmware capabilities as much as possible by disabling everything possible without causing boot-up issues.
However, thanks to the NSA, it seems there was a kill switch for the potential backdoor “features” implemented.
Positive Technologies discovered a way to disable ME that had eluded everyone for years.
A post by Positive Technologies (with a lot of “Geek Speak”) revealed they have found a hidden bit inside of the proprietary firmware code which, when it is “flipped,” (set from “0” to “1”) will disable the ME after the ME has done its boot-up duties and started the main processor.
This bit is dubbed as “reserve_hap” and a comment noted in the code described it as the “High Assurance Platform (HAP) enable.”
What exactly is the HAP you may ask?
According to the Trusted Computing Group, “The High Assurance Platform (HAP) Program is a multi-year NSA program with the vision to define a framework for the development of the “next generation” of secure computing platforms.”
The NSA conducts this effort in collaboration with industry, academia, and other government organizations.
With this knowledge, it is believed that Intel added the disabling bit at the request of the NSA, who required the capability of disabling ME due to the needs of some high security environments.
Intel has also confirmed the Intel ME disabling feature to Positive Technologies, “In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”
This is great news as now we have a potential way to secure our systems further.
However, Positive Technologies warn that using the HAP disable bit could be dangerous as it has not been deeply tested. They also said that the methods detailed in their post could be risky and potentially damage or even destroy a computer.
Anyone willing to take this step should do it with the help of someone trained in hardware or firmware.