Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.

Re:Thank you NSA

[infolation]

I don't want to sound paranoid, but...

Given the history of this organisation, there is a possibility that the 'disable Intel ME, block the nefarious attackers' bit is a decoy.

(Disclaimer: I use a 2008 thinkpad with the SOIC-16 personally reprogrammed using a beaglebone. So maybe I'm paranoid.)

Re:

[saloomy]

Do Apple computers have the ME enabled? How do you've access it?

Re:

[Anonymous Coward]

You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.

Depending on the response you get, you can determine:

1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this p

Re:

[unixisc]

Does that still work if one uses an Ethernet-USB adaptor on a laptop, where one can't plug in a second NIC card?

Re:

[unixisc]

So easy to do on a laptop or an AIO. Other than gamers, how many people still use desktops where one can plug in a NIC into a PCIe slot?

Re:

[bytesex]

Is this port knocking, or does each port do something different, or is it simply trial-and-error between ports?

Re:

[AmiMoJo]

Even if it does what it claims to do, it doesn't fully protect you from the ME being exploited. It just prevents exploits against a running ME, but an attacker could still hide code in the ME itself via bogus firmware updates which gives them a powerful rootkit that is difficult to detect or remove.

Lifting the write enable pin on the EEPROM can prevent that.

I also worry that the remaining minimal ME code needed to boot the system could be exploited some how. Bad firmware in another device, bad configuration

Re:

[unixisc]

Funny how they'd like Intel to have all that extra real estate on a chip to help them monitor the rest of us, but don't want that same capability turned on them. Sauce for the goose is ketchup for the gander!

Permanent Netbus.exe.

[Anonymous Coward]

In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect a

Re:Permanent Netbus.exe.

[Dunbal]

Well, if it's any consolation to you, you're never going to gain any sort of power, and nobody really wants to look at whatever is on your screen, beyond stealing your credit card number.

What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power.

"Give me 6 lines written by the most honest of men and in them I will find something which will hang him" -- Cardinal Richelieu

Re:

[ChrisMaple]

/dev/random is your friend.

Re:Permanent Netbus.exe.

[markdavis]

>"What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power."

+1,000,000 insightful

Not just government, NOBODY should have that power. Not governments, not businesses, not individuals. NOBODY. There are so many laws and regulations on the books, it is nearly impossible for any normal person to be 100% legal all the time. And each year it just gets worse. And that is just law- it doesn't have to be something illegal, it can just be something embarrassing to then be used as a weapon to harm or corrupt.

And even if there is some saintly person out there who thinks they never did anything wrong or embarrasing, I have news for you:

1) Anything you do can be taken out of context.
2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.
3) Nobody is that saintly anyway.

Re:

[Anonymous Coward]

Anything you say can and will be used against you.

Re:

[umghhh]

Anything you did not say too. In fact these days any activity can be taken as a reason to smash your doors, put you in handcuffs and charge you with some silly crime. It seems the whole world is going this way. Even in what used to be peaceful Germany you can get that done to you now if your political opponents or some worried citizens dislike your prepping activities - 'he is evil terrorist because he has a weeks worth supply of food in his cellar' etc Seems to me that free world is as mad as the less free

Re:

[Dunbal]

This is true. Tactical entry, "no knock" warrants, etc used to be reserved for known dangerous criminals. We're almost at the point now where they're busting down your door for parking tickets. Cos admit it - busting down doors is fun. The cops paid for this tactical team and equipment, and by god they are going to use it.... it's human nature. And this trend is not just in the US. I'm an expat living in Costa Rica and I was amazed the other day when on the news I saw a tactical team busting down the doors

Re:

[Dunbal]

Yeah in first world shitholes they just toss flashbangs into baby cribs at the wrong address and are cleared of any wrongdoing despite mutilating a child who was obviously guilty of SOMETHING.

Re:

[umghhh]

It is what makes me wonder. At some point my doors will probably get smashed either by right wing radicals because I am not pure enough, by antifa activists because I am not tolerant enough or by authorities because I refuse to decry some shit or other (a mayor of small town in Germany wanted one of his subordinates to resign for not openly decrying Erdogan - yesterday, free speech and free though are not valued resources these days). We live in a world where being correct is more and more difficult, gettin

Re:

[umghhh]

This is a correct description of current situation. This BTW is not only Germany but we have militant tolerance fighters i.e. antifas that violently act on any sign of 'intolerance' they see. So you hardly can discuss anything in the open these days out of fear to be declared intolerant asshole. This btw includes people making photos of election poster teams to dox them later on and apply private pressure ect. I do not have to agree with some party slogans but that is going far to far. This has also less po

Re:

[LordWabbit2]

2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.

Exactly, and if you are found to have a single image which can be construed as child porn you are fucked.

Re:

[Opportunist]

What's really fucked up about this is the way it's phrased, which essentially can be summed up with "it's up to the judge".

In other words, if the judge gets a boner, you're fucked.

Re:

[KiloByte]

Since the image choice is not yours, let me assure you, the image(s) that get planted won't be just borderline. Also, the police are assumed to never, ever plant such images even in cases it's widely known they hate your guts.

Re:

[Gr8Apes]

At this point, I'd question whether the police are ever honest.... And yes, I know probably a significant subset are honest, but enough aren't that it tars them all.

Re:

[KiloByte]

On their own, the vast majority of policemen are honest, or a good enough approximation of that. But when an order comes from the above, most will choose to keep their jobs over defending you.

Re:

[Gr8Apes]

Oh, I'm not even talking conspiracy here, just the low-level lack of integrity and Dredd-like thoughts about the "Law", or so it appears.

Re:

[Gr8Apes]

Including that picture you took of your first child getting its first bath. Oops.

Re:

[infolation]

The famous Ayn Rand - Atlas Shrugged [archive.org] quote.

You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted-and you create a nation of law-breakers-and then you cash in on guilt. Now that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with."

It seems to enbody the principle of your post, but is always quoted out of context. The book talks about a different era - an industrial era - but, despite its moral defense of capitalism and the necessity of an independent mind, Atlas Shrugged's discussion of 'secret law' is directly relevant to the concept of a device that can exfiltrate an individual's life secrets to a state power.

Re:

[epine]

You fellows were pikers, but we know the real trick, and you'd better get wise to it.

Heinlein, toward the end, also suffered from giant book disorder, but even then Heinlein retained enough short-form marbles to at least subtly position this blowhard on the cynical fringe.

After a thousand pages, the author runs an appalling risk of falling in love with her/his reductive-cadence secret sauce.

Re:

[Jerry]

"I am a model citizen"

Think so?
Read this: http://lawcomic.net/guide/?p=1... [lawcomic.net]

"a much-hated component of Intel CPUs"

[Nutria]

Not much-hated by the people who buy Intel CPUs by the train-load.

Re:

[Ungrounded Lightning]

Because there is an alternative... not. AMD has the same shit.

Actually it has equivalent but DIFFERENT $#!7.

Re:

[thegarbz]

Not much-hated by the people who buy Intel CPUs by the train-load.

Yes this. Perspective matters. Intel powers the worlds PCs the number of people who actually give a shit about this can be stored in a 16bit integer. The number of people calling it a secret backdoor in an 8bit integer.

Best of all is the overlap between the number of people in the 16bit integer category and those who go out and buy workstation motherboards especially so they get features like the ones Intel ME provide. But somehow Intel is super evil while American Megatrends and the like are not.

Then there

Re: "a much-hated component of Intel CPUs"

[Reverend Green]

Everyone who understands what the ME is, calls it a backdoor. However that's not exactly a "secret".

Re:

[thegarbz]

No, everyone who understands what the ME is calls it what it is, an on CPU consumer version of IPMI, a premium feature that has been part of enterprise grade equipment for almost 2 decades.

Re:

[EndlessNameless]

You make it sound like this is unique to Intel. It is not.

AMD's TrustZone is basicallly the same thing---a processor which has supervisory access to the hardware and operating system.

Read all about it at:

http://www.amd.com/en-us/innov... [amd.com]

Re:

[Nutria]

How do you get "You make it sound like this is unique to Intel" from "Not much-hated by the people who buy Intel CPUs by the train-load?

Maybe you replied to the wrong comment?

Evil Bit

[Anonymous Coward]

I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt [ietf.org] !

How to?

[manu0601]

The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?

Re:How to?

[complete loony]

Wait for this patch [github.com] to me_cleaner to be better tested?

In the meantime this works... apk

[Anonymous Coward]

See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

Additionally, once you disable the AMT engine's software interface (ez via software these articles

Re:

[aktw]

There is no "how-to" at this point, but I'm sure you can get started on CPU firmware modification since now you know the correct bit to flip.

Re:

[Anonymous Coward]

The article says to use Flash Image Tool (FIT).

So how can we set the HAP bit? We can use the FIT configuration files and determine the location of the bit in the image, but there is a simpler way. In the ME Kernel section of FIT, you can find a Reserved parameter. This is the particular bit that enables HAP mode.

Re:

[complete loony]

A version of this patch has been merged into the master branch of me_cleaner. So I'd suggest following their guides to attempt disabling Intel ME. Of course there's a risk you'll brick your motherboard...

Re:FUD.

[cavreader]

"As in environments that least have no internet access, or at best are air-gapped."
The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.

Re:

[Bite The Pillow]

In my experience, sensitive areas are run by people who did not know about this. So it must have been more like a Sig int input site, gathering external data, like a Twitter scraper. Something partially exposed that needed protection.

Re:

[Jerry]

From a post by Stallman:
"3. The backdoor is active even when the machine is powered off:
Intel rolled out something horrible [hackaday.com]
The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we canâ(TM)t even look at the code.

4. Onboard ethernet and WiFi is part of the backdoor:
The ME has its own MAC and IP address for th

Maybe not just that...

[Pseudonym]

"High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

Re:

[TemporalBeing]

"High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

Re:

[Pseudonym]

If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

Almost all of a time, a microcontroller IS-A microprocessor.

AMD behaviour ...

[evanh]

... indicates it's likely beholden in a similar fashion now.

Only worse....

[Anonymous Coward]

Because from all indications right now, AMD is on a proprietary embedded OS AND has full image encryption, meaning no pick and choose of modules to disable.

Something else a lot of people haven't considered: The neural network block used in the processors could have intentional or unintentional exploits built into them. The 'bad masks' that are resulting in Ryzen RMAs may not have been unintentional, but rather a widely used piece of code triggered them in an unintended manner causing a crash instead of an e

is it just me...

[Doctor Device]

...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.

What AMT versions are affected with the ME bkdoor?

[MSTCrow5429]

Is the Intel Management Engine present in all AMT versions? Is the Intel ME problematic in all versions of AMT in which it exists? Does AMT require Intel ME in the first place?

Re:

[Anonymous Coward]

AMT runs on top of Intel ME. So yes, Intel ME is present in all AMT versions, and also remains present if you do not even have AMT enabled.

*ALL VERSIONS* *IF ENABLED*

[Anonymous Coward]

In order to ensure your security the following steps are required:
- The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
- The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
- Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reade

Baffling

[Anonymous Coward]

What baffles me most is that the regular consumer is not offered this option for the devices they purchased.

Re:

[Opportunist]

Have you been on vacation the past 20 or so years?

ME is integrated in the Chipset, not the CPU

[gotan]

From the article:

"At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices."

Of course that makes this "component" even more ominous.

Re:

[e r]

You posted anonymously... and then signed your post??????

Error: Management Engine refused connection.

[Jerry]

I downloaded and compiled mei-amt-check from github, which was last compiled 4 months ago.

"A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded."

The mei_me.ko is loaded when the program is run.

It gave me this on my Intel(R) Core(TM) i7-3610QM :

"sudo ./mei-amt-check
[sudo] password for jerry:
Error: Management Engine refused connection. This probably means you don't have AMT"

The "Management Engine" is still

Re:

[Anonymous Coward]

Wisdom, (not knowledge) prevents you from being an arrogant idiot like you have just been, knowing what intel ME is exactly (which you clearly do not) is not necessary to suppose there might be so much controversy and research into intel ME because there is no supported way to remove the vulnerable nature of having a whole closed source, obfuscated, signed OS and CPU in control of your CPU... Just to be clear: No, you cannot remove disable intel ME from EFI or BIOS, try at least to not be so condemning next

Re:

[Anonymous Coward]

wow why didn't they think of that huh? I guess we should all ask you how IME works then. So this BIOS option prevents the ME OS from booting I presume? otherwise you are still fucked.

Re:

[Anonymous Coward]

The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make

Re:

[jabuzz]

Don't use the onboard NIC then. If it ain't plugged in it can't be used and if it is a random NIC from a different vendor than Intel it's unlikely that Intel ME will be able to make use of it.

Re:

[Anonymous Coward]

1. What if you can't change the router?
2. What if you forget to change the router?
3. What if you connect to another network?
4. What about the versions that use mobile phones built into the motherboard

It's bullshit. Intel's Management Engine is a hardware backdoor into every Intel system. You cannot trust Intel-based PCs. It's that simple.

Frankly, it's shocking that Intel have gotten away with this as long as they have.