Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode'

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

Don't buy Intel if you care about security

[pak9rabid]

So, between this, Meltdown, and the handful of Spectre variant bugs, I guess it's safe to say that if you value security don't buy Intel.

Re:

[IVomitFatCashews]

And if you value quality, don't read Slashdot.

Re:

[Narcocide]

I've been saying that since at least 2006.

Re:Don't buy Intel if you care about security

[Anonymous Coward]

Don't buy AMD either. Only fully secure way is to manufacture your own processor in Minecraft using Redstone. NSA can't spy on you then as they are still running government issued wood pick axes.

Build 8088 if you care about security.

[Ostracus]

RISC-V, or make an 8088 out of FPGAs.

Re:

[TeknoHog]

RISC-V, or make an 8088 out of FPGAs.

You can find pretty capable FPGAs today, in fact you've been able to put various RISC processors on a single FPGA for years. Unfortunately, they won't be fundamentally secure. The compilers are generally closed source, and who knows what the chips themselves are hiding.

Re:Don't buy Intel if you care about security

[Tough Love]

From the article [zdnet.com] "it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing." Apple is the OEM, so it was Apple that wrongly configured these chips.

Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.

Re:

[PolygamousRanchKid]

Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.

Well, gee, wouldn't it be kinda nice if the guilty party would ship the Intel Management Engine in the "disabled" mode . . . ?

I'm guessing that it can be disabled later . . . but the folks who know how to do that sure ain't telling . . .

Re:

[Tough Love]

Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME? But this researcher somehow knew about that configuration option? Pretty hard to exonerate Apple on this one, but I fully expect the usual social media astroturfers to try.

Re:

[PolygamousRanchKid]

Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME?

No, I am claiming that Apple probably knows how to disable it . . . but won't.

Re:

[Tough Love]

Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME?

No, I am claiming that Apple probably knows how to disable it . . . but won't.

Looks more like an oversight to me, or lack of quality control.

Re:

[PolygamousRanchKid]

Looks more like an oversight to me, or lack of quality control.

In this case, they mistakenly left it in "Manufacturing Mode" . . . instead of the normal production "Enabled" mode.

However, it is also possible to completely disable the Intel Management Engine . . . in other words, "Disabled" mode. This is the mode that government agencies run in. They don't want to leave their own backdoor open.

This is the mode I would like to be able to set myself . . . or let the manufacturer do it for me . . . but they won't . . . take a guess why not . . . ?

Re:

[tlhIngan]

However, it is also possible to completely disable the Intel Management Engine . . . in other words, "Disabled" mode. This is the mode that government agencies run in. They don't want to leave their own backdoor open.

This is the mode I would like to be able to set myself . . . or let the manufacturer do it for me . . . but they won't . . . take a guess why not . . . ?

Because users care about stuff like low power mode and suspend/sleep ability.

Intel ME is used to actually boot the processor and perform power

Re:

[Tough Love]

Ah, I see what you're saying. Let me correct a misunderstanding: management engine configuration is designed to be impossible by anyone downstream of the OEM, which can be enforced by a variety of means including burning out fusible links. Whether Intel does actually manage to enforce that perfectly is a question for security researchers.

Re:

[Tough Love]

You sure are fast to hating on Apple.

So, according to you, suggesting that Apple made a mistake is hating on Apple? Maybe you also think that convicting a criminal is hating on the criminal?

Re:

[Plumpaquatsch]

Apple is the OEM, so it was Apple that wrongly configured these chips.

You do know what that means: You can now no longer claim "Apple doesn't build their own computers".

Re:

[AHuxley]

But the games crave the per clock speed only Intel can support.

Re:

[viperidaenz]

If you value quality control, don't buy Apple.

They left the chips in manufacturing mode, which means the one-time programmable fuses haven't been programmed. It's real OTP, as they get physically burned open.

While you can get the CPU back to manufacturing mode, you can't re-burn the fuses.
This isn't a security flaw in the processor if the OEM follows process. It's how security keys for signed boot and such are loaded, along with various other parameters.

Leaving it open like Apple did allows code to re-write

Fairly common

[FeelGood314]

The engineering team likes those extra options because it helps us debug things. Manufacturing likely doesn't understand it so they leave it enabled because it makes the diagnostics easier. The people who do understand it have told manufacturing at least once a month that they will have to disable it when "real production" for external customers begins but every new product launch it gets forgotten.

Re:

[viperidaenz]

That would only be news if he's ever been onstange with his fly zipped up.