Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Intel Security

Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com) 142

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.

The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
This discussion has been archived. No new comments can be posted.

Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA

Comments Filter:
  • by Anonymous Coward

    In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect a

  • Not much-hated by the people who buy Intel CPUs by the train-load.

    • Not much-hated by the people who buy Intel CPUs by the train-load.

      Yes this. Perspective matters. Intel powers the worlds PCs the number of people who actually give a shit about this can be stored in a 16bit integer. The number of people calling it a secret backdoor in an 8bit integer.

      Best of all is the overlap between the number of people in the 16bit integer category and those who go out and buy workstation motherboards especially so they get features like the ones Intel ME provide. But somehow Intel is super evil while American Megatrends and the like are not.

      Then there

    • You make it sound like this is unique to Intel. It is not.

      AMD's TrustZone is basicallly the same thing---a processor which has supervisory access to the hardware and operating system.

      Read all about it at:

      http://www.amd.com/en-us/innov... [amd.com]

      • by Nutria ( 679911 )

        How do you get "You make it sound like this is unique to Intel" from "Not much-hated by the people who buy Intel CPUs by the train-load?

        Maybe you replied to the wrong comment?

  • Evil Bit (Score:3, Funny)

    by Anonymous Coward on Tuesday August 29, 2017 @08:09PM (#55107201)

    I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt [ietf.org] !

  • How to? (Score:4, Insightful)

    by manu0601 ( 2221348 ) on Tuesday August 29, 2017 @08:34PM (#55107311)
    The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?
    • Re:How to? (Score:5, Informative)

      by complete loony ( 663508 ) <`moc.liamg' `ta' `namekaL.ymereJ'> on Tuesday August 29, 2017 @08:43PM (#55107335)
      Wait for this patch [github.com] to me_cleaner to be better tested?
      • by Anonymous Coward

        See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

        (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

        Additionally, once you disable the AMT engine's software interface (ez via software these articles

    • by aktw ( 4857131 )
      There is no "how-to" at this point, but I'm sure you can get started on CPU firmware modification since now you know the correct bit to flip.
    • Re: (Score:2, Informative)

      by Anonymous Coward
      The article says to use Flash Image Tool (FIT).

      So how can we set the HAP bit? We can use the FIT configuration files and determine the location of the bit in the image, but there is a simpler way. In the ME Kernel section of FIT, you can find a Reserved parameter. This is the particular bit that enables HAP mode.

    • A version of this patch has been merged into the master branch of me_cleaner. So I'd suggest following their guides to attempt disabling Intel ME. Of course there's a risk you'll brick your motherboard...
  • "High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

    • "High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

      If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

      • If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

        Almost all of a time, a microcontroller IS-A microprocessor.

  • ... indicates it's likely beholden in a similar fashion now.

    • by Anonymous Coward

      Because from all indications right now, AMD is on a proprietary embedded OS AND has full image encryption, meaning no pick and choose of modules to disable.

      Something else a lot of people haven't considered: The neural network block used in the processors could have intentional or unintentional exploits built into them. The 'bad masks' that are resulting in Ryzen RMAs may not have been unintentional, but rather a widely used piece of code triggered them in an unintended manner causing a crash instead of an e

  • is it just me... (Score:4, Interesting)

    by Doctor Device ( 890418 ) on Tuesday August 29, 2017 @10:32PM (#55107695)

    ...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.

  • Is the Intel Management Engine present in all AMT versions? Is the Intel ME problematic in all versions of AMT in which it exists? Does AMT require Intel ME in the first place?
    • by Anonymous Coward

      AMT runs on top of Intel ME. So yes, Intel ME is present in all AMT versions, and also remains present if you do not even have AMT enabled.

    • by Anonymous Coward

      In order to ensure your security the following steps are required:
      - The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
      - The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
      - Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reade

  • Baffling (Score:2, Funny)

    by Anonymous Coward

    What baffles me most is that the regular consumer is not offered this option for the devices they purchased.

  • From the article:

    "At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices."

    Of course that makes this "component" even more ominous.

  • I downloaded and compiled mei-amt-check from github, which was last compiled 4 months ago.

    "A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded."

    The mei_me.ko is loaded when the program is run.

    It gave me this on my Intel(R) Core(TM) i7-3610QM :

    "sudo ./mei-amt-check
    [sudo] password for jerry:
    Error: Management Engine refused connection. This probably means you don't have AMT"

    The "Management Engine" is still

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...