Intel ME can be disabled due to US Govt requirements

[WMGroomAK]

Researchers with Positive Technologies has found a hidden bit of firmware code inside Intel's Management Engine (ME) that when flipped will disable the ME after it has booted up the main processor.  This little bit of information comes in a timely fashion as there have been several severe security holes discovered in the ME that can cause an attacker to take over the system.

 

https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/

Quote

What Positive Technologies experts discovered is nothing short of miraculous, as firmware experts have been searching for a way to disable ME for years.

 

According to a highly technical blog post, Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") it will disable ME after ME has done its job and booted up the main processor.

 

The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable."

 

High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms.

 

Researchers believe Intel has added the ME disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments. ME or any vulnerabilities in its firmware could lead to leaks of highly dangerous information, hence the reason why the NSA did not want to take the risk.

Of course, there is a warning associated with this that this exploit hasn't been thoroughly tested and may damage or destroy your computer, however, if it is properly implemented, provides a promising way to potentially get around the Intel ME.  It is also interesting that if the response that Positive Technologies received from Intel is true, then they implemented this at the request of OEMs who provide products to the US Government.

Quote

In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program.  These modifications underwent a limited validation cycle and are not an officially supported configuration.

 

[Mira Yurizaki]

Intel ME is a giant security hole if I ever saw one in the name of IT convenience.

[Droidbot]

[Trik'Stari]

Considering that when you set up certain OEM hardware for the first time, you can choose to disable Intel ME, why is this surprising?

 

Or is this a "you can disable it even though the hardware has been set up and you have it turned on" kind of deal?

[Bananasplit_00]

no clue what ME is, what it does nor why you should disable it. somone explain it

[Droidbot]

2 hours ago, Trik'Stari said:

Considering that when you set up certain OEM hardware for the first time, you can choose to disable Intel ME, why is this surprising?

 

Or is this a "you can disable it even though the hardware has been set up and you have it turned on" kind of deal?

It's not fully disabled, but some of the features are removed depending on the PCH used. 

 

2 hours ago, Bananasplit_00 said:

no clue what ME is, what it does nor why you should disable it. somone explain it

It's an ARC/ARC64/SPARC based processor INSIDE your chipset. 

 

It runs Java. 

And Java applets.

And hooks into the network card, and keyboard and mouse. 

And it has the ability to give remote attackers access to these

As well as files on your computer

Regardless of operating system or current sleep state or anything

 

This shit is SCARY, especially because it has security flaws and it is activated in a LOT of consumer products and chipsets, including B and H series chipsets on the desktop and HM chipsets on mobile. 

[samcool55]

2 hours ago, Trik'Stari said:

Considering that when you set up certain OEM hardware for the first time, you can choose to disable Intel ME, why is this surprising?

 

Or is this a "you can disable it even though the hardware has been set up and you have it turned on" kind of deal?

 

2 hours ago, Bananasplit_00 said:

no clue what ME is, what it does nor why you should disable it. somone explain it

The intel ME is basically a little ARM-based controller that's separate from the CPU and has access to EVERYTHING.

It can access your ram and your L-cache so it can basically see every single piece of data that goes through your pc.

 

AMD has an equivalent of this (AMD PSP) and both companies never clearly explained why it's there... That with the combination it has the potential of being remotely accessed and almost impossible to detect because it works at a really low level, people started to wonder why it's there.

 

That's why the researches started doing research to understand the intel ME. The fact there are signs it could have connections with the NSA and undocumented functions doesn't mean much good. Also the fact AMD basically created the same thing (AMD PSP) and barely talks about is imo a clear sign both intel ME and amd PSP are things that don't do much good.

 

Because little documentation is available for these things it's possible i'm completely wrong tho O_o

[Droidbot]

4 minutes ago, samcool55 said:

 

The intel ME is basically a little ARM-based controller that's separate from the CPU and has access to EVERYTHING.

It can access your ram and your L-cache so it can basically see every single piece of data that goes through your pc.

 

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34]

The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36]The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei.[33]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

 

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Non-free_service_access

 

:thinking:

 

[samcool55]

6 minutes ago, Droidbot said:

-snip-
 

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34]

The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36]The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei.[33]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

 

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Non-free_service_access

 

:thinking:

 

AMD uses an ARM chip for their PSP so i assumed Intel did the same, seems like they don't then O_o

Also the 3 long links are all broken.

[Droidbot]

4 minutes ago, samcool55 said:

AMD uses an ARM chip for their PSP so i assumed Intel did the same, seems like they don't then O_o

Also the 3 long links are all broken.

for some reason it's made it all into a link to the trump 'wrong' gif I tried to embed 

 

yay

[Trik'Stari]

10 hours ago, samcool55 said:

 

The intel ME is basically a little ARM-based controller that's separate from the CPU and has access to EVERYTHING.

It can access your ram and your L-cache so it can basically see every single piece of data that goes through your pc.

 

AMD has an equivalent of this (AMD PSP) and both companies never clearly explained why it's there... That with the combination it has the potential of being remotely accessed and almost impossible to detect because it works at a really low level, people started to wonder why it's there.

 

That's why the researches started doing research to understand the intel ME. The fact there are signs it could have connections with the NSA and undocumented functions doesn't mean much good. Also the fact AMD basically created the same thing (AMD PSP) and barely talks about is imo a clear sign both intel ME and amd PSP are things that don't do much good.

 

Because little documentation is available for these things it's possible i'm completely wrong tho O_o

All I know about Intel ME is that one of our customers has us set up their laptops with it turned off, whenever we have to replace a "system board", a term we use rather than motherboard for some dumbass reason. We do this at the same time we program in the serial number of said device.

 

Also, why is it a security concern if it can be disabled, since it has a LOT of access based on what I am reading. Turning it off would prevent that access. Them being able to turn it back on would concern me.

[samcool55]

18 minutes ago, Trik'Stari said:

All I know about Intel ME is that one of our customers has us set up their laptops with it turned off, whenever we have to replace a "system board", a term we use rather than motherboard for some dumbass reason. We do this at the same time we program in the serial number of said device.

 

Also, why is it a security concern if it can be disabled, since it has a LOT of access based on what I am reading. Turning it off would prevent that access. Them being able to turn it back on would concern me.

You can't fully disable it. It always stays on partially.

If you would disable it completely the system would reboot after 30 minutes. However there are people already working on trimming down the ME firmware as much as possible so only the things that cause the reboot are there.