Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com) 142
An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
Re:Thank you NSA (Score:4, Interesting)
Given the history of this organisation, there is a possibility that the 'disable Intel ME, block the nefarious attackers' bit is a decoy.
(Disclaimer: I use a 2008 thinkpad with the SOIC-16 personally reprogrammed using a beaglebone. So maybe I'm paranoid.)
Re: (Score:2)
Do Apple computers have the ME enabled? How do you've access it?
Re: (Score:3, Informative)
You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.
Depending on the response you get, you can determine:
1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this p
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Is this port knocking, or does each port do something different, or is it simply trial-and-error between ports?
Re: (Score:2)
Even if it does what it claims to do, it doesn't fully protect you from the ME being exploited. It just prevents exploits against a running ME, but an attacker could still hide code in the ME itself via bogus firmware updates which gives them a powerful rootkit that is difficult to detect or remove.
Lifting the write enable pin on the EEPROM can prevent that.
I also worry that the remaining minimal ME code needed to boot the system could be exploited some how. Bad firmware in another device, bad configuration
Re: (Score:3)
Funny how they'd like Intel to have all that extra real estate on a chip to help them monitor the rest of us, but don't want that same capability turned on them. Sauce for the goose is ketchup for the gander!
Permanent Netbus.exe. (Score:2, Interesting)
In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect a
Re:Permanent Netbus.exe. (Score:5, Insightful)
Well, if it's any consolation to you, you're never going to gain any sort of power, and nobody really wants to look at whatever is on your screen, beyond stealing your credit card number.
What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power.
"Give me 6 lines written by the most honest of men and in them I will find something which will hang him" -- Cardinal Richelieu
Re: (Score:2)
Re:Permanent Netbus.exe. (Score:5, Insightful)
>"What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power."
+1,000,000 insightful
Not just government, NOBODY should have that power. Not governments, not businesses, not individuals. NOBODY. There are so many laws and regulations on the books, it is nearly impossible for any normal person to be 100% legal all the time. And each year it just gets worse. And that is just law- it doesn't have to be something illegal, it can just be something embarrassing to then be used as a weapon to harm or corrupt.
And even if there is some saintly person out there who thinks they never did anything wrong or embarrasing, I have news for you:
1) Anything you do can be taken out of context.
2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.
3) Nobody is that saintly anyway.
Re: (Score:1)
Anything you say can and will be used against you.
Re: (Score:3, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
Exactly, and if you are found to have a single image which can be construed as child porn you are fucked.
Re: (Score:3)
What's really fucked up about this is the way it's phrased, which essentially can be summed up with "it's up to the judge".
In other words, if the judge gets a boner, you're fucked.
Re: (Score:3)
Since the image choice is not yours, let me assure you, the image(s) that get planted won't be just borderline. Also, the police are assumed to never, ever plant such images even in cases it's widely known they hate your guts.
Re: (Score:1)
Re: (Score:2)
On their own, the vast majority of policemen are honest, or a good enough approximation of that. But when an order comes from the above, most will choose to keep their jobs over defending you.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted-and you create a nation of law-breakers-and then you cash in on guilt. Now that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with."
It seems to enbody the principle of your post, but is always quoted out of context. The book talks about a different era - an industrial era - but, despite its moral defense of capitalism and the necessity of an independent mind, Atlas Shrugged's discussion of 'secret law' is directly relevant to the concept of a device that can exfiltrate an individual's life secrets to a state power.
Re: (Score:2)
Heinlein, toward the end, also suffered from giant book disorder, but even then Heinlein retained enough short-form marbles to at least subtly position this blowhard on the cynical fringe.
After a thousand pages, the author runs an appalling risk of falling in love with her/his reductive-cadence secret sauce.
Re: (Score:2)
"I am a model citizen"
Think so?
Read this: http://lawcomic.net/guide/?p=1... [lawcomic.net]
"a much-hated component of Intel CPUs" (Score:2)
Not much-hated by the people who buy Intel CPUs by the train-load.
Re: (Score:3)
Because there is an alternative... not. AMD has the same shit.
Actually it has equivalent but DIFFERENT $#!7.
Re: (Score:2)
Not much-hated by the people who buy Intel CPUs by the train-load.
Yes this. Perspective matters. Intel powers the worlds PCs the number of people who actually give a shit about this can be stored in a 16bit integer. The number of people calling it a secret backdoor in an 8bit integer.
Best of all is the overlap between the number of people in the 16bit integer category and those who go out and buy workstation motherboards especially so they get features like the ones Intel ME provide. But somehow Intel is super evil while American Megatrends and the like are not.
Then there
Re: "a much-hated component of Intel CPUs" (Score:2)
Everyone who understands what the ME is, calls it a backdoor. However that's not exactly a "secret".
Re: (Score:2)
No, everyone who understands what the ME is calls it what it is, an on CPU consumer version of IPMI, a premium feature that has been part of enterprise grade equipment for almost 2 decades.
Re: (Score:2)
You make it sound like this is unique to Intel. It is not.
AMD's TrustZone is basicallly the same thing---a processor which has supervisory access to the hardware and operating system.
Read all about it at:
http://www.amd.com/en-us/innov... [amd.com]
Re: (Score:2)
How do you get "You make it sound like this is unique to Intel" from "Not much-hated by the people who buy Intel CPUs by the train-load?
Maybe you replied to the wrong comment?
Evil Bit (Score:3, Funny)
I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt [ietf.org] !
How to? (Score:4, Insightful)
Re:How to? (Score:5, Informative)
In the meantime this works... apk (Score:1)
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles
Re: (Score:1)
Re: (Score:2, Informative)
Re: (Score:2)
Re:FUD. (Score:4, Informative)
"As in environments that least have no internet access, or at best are air-gapped."
The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.
Re: (Score:2)
In my experience, sensitive areas are run by people who did not know about this. So it must have been more like a Sig int input site, gathering external data, like a Twitter scraper. Something partially exposed that needed protection.
Re: (Score:2)
From a post by Stallman:
"3. The backdoor is active even when the machine is powered off:
Intel rolled out something horrible [hackaday.com]
The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we canâ(TM)t even look at the code.
4. Onboard ethernet and WiFi is part of the backdoor:
The ME has its own MAC and IP address for th
Maybe not just that... (Score:2)
"High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.
Re: (Score:2)
"High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.
If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.
Re: (Score:2)
If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.
Almost all of a time, a microcontroller IS-A microprocessor.
AMD behaviour ... (Score:2)
... indicates it's likely beholden in a similar fashion now.
Only worse.... (Score:1)
Because from all indications right now, AMD is on a proprietary embedded OS AND has full image encryption, meaning no pick and choose of modules to disable.
Something else a lot of people haven't considered: The neural network block used in the processors could have intentional or unintentional exploits built into them. The 'bad masks' that are resulting in Ryzen RMAs may not have been unintentional, but rather a widely used piece of code triggered them in an unintended manner causing a crash instead of an e
is it just me... (Score:4, Interesting)
...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.
What AMT versions are affected with the ME bkdoor? (Score:2)
Re: (Score:1)
AMT runs on top of Intel ME. So yes, Intel ME is present in all AMT versions, and also remains present if you do not even have AMT enabled.
*ALL VERSIONS* *IF ENABLED* (Score:2, Informative)
In order to ensure your security the following steps are required:
- The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
- The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
- Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reade
Baffling (Score:2, Funny)
What baffles me most is that the regular consumer is not offered this option for the devices they purchased.
Re: (Score:3)
Have you been on vacation the past 20 or so years?
ME is integrated in the Chipset, not the CPU (Score:2)
From the article:
"At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices."
Of course that makes this "component" even more ominous.
Re: (Score:2)
Error: Management Engine refused connection. (Score:2)
I downloaded and compiled mei-amt-check from github, which was last compiled 4 months ago.
"A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded."
The mei_me.ko is loaded when the program is run.
It gave me this on my Intel(R) Core(TM) i7-3610QM :
"sudo ./mei-amt-check
[sudo] password for jerry:
Error: Management Engine refused connection. This probably means you don't have AMT"
The "Management Engine" is still
Re: (Score:1)
Wisdom, (not knowledge) prevents you from being an arrogant idiot like you have just been, knowing what intel ME is exactly (which you clearly do not) is not necessary to suppose there might be so much controversy and research into intel ME because there is no supported way to remove the vulnerable nature of having a whole closed source, obfuscated, signed OS and CPU in control of your CPU... Just to be clear: No, you cannot remove disable intel ME from EFI or BIOS, try at least to not be so condemning next
Re: (Score:1)
wow why didn't they think of that huh? I guess we should all ask you how IME works then. So this BIOS option prevents the ME OS from booting I presume? otherwise you are still fucked.
Re: (Score:3, Informative)
The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make
Re: (Score:2)
Don't use the onboard NIC then. If it ain't plugged in it can't be used and if it is a random NIC from a different vendor than Intel it's unlikely that Intel ME will be able to make use of it.
Re: (Score:1)
1. What if you can't change the router?
2. What if you forget to change the router?
3. What if you connect to another network?
4. What about the versions that use mobile phones built into the motherboard
It's bullshit. Intel's Management Engine is a hardware backdoor into every Intel system. You cannot trust Intel-based PCs. It's that simple.
Frankly, it's shocking that Intel have gotten away with this as long as they have.