Researchers have found a way to disable a much hated component of Intel CPUs — the Intel Management Engine, thanks in part to the NSA's High Assurance Platform (HPA) program.

Reviews , News , CPU , GPU , Articles , Columns , Other "or" search relation. 5G , Accessory , AMD , Android , Apple , ARM , Audio , Bay Trail , Business , Cannon Lake , Charts , Chinese Tech , Chromebook , Coffee Lake , Comet Lake , Console , Convertible / 2-in-1 , Cryptocurrency , Cyberlaw , Deal , Desktop , Fail , Foldable , Gadget , Galaxy Note , Galaxy S , Gamecheck , Gaming , Geforce , Google Nexus / Pixel , How To , Ice Lake , Internet of Things (IoT) , iOS , iPad Pro , iPhone , Kaby Lake , Lakefield , Laptop , Launch , Linux / Unix , MacBook , Mini PC , Monitor , MSI , OnePlus , Opinion , Phablet , Project Athena , Renoir , Review Snippet , Rocket Lake , Rumor , Ryzen (Zen) , Security , Smart Home , Smartphone , Smartwatch , Software , Storage , Tablet , ThinkPad , Thunderbolt , Tiger Lake , Touchscreen , Ultrabook , Virtual Reality (VR) / Augmented Reality (AR) , Wearable , Whiskey Lake , Windows , Workstation , XPS , Zen 3 (Vermeer) Ticker

Researchers from security firm, Positive Technologies have just stumbled upon something truly phenomenal. They have found a method to disable the much hated Intel Management Engine (ME) in a way that still allows the computer to boot up. This discovery could potentially secure many businesses and state institutions from being compromised by highly sophisticated malware.

What is the Intel ME anyways?

The Intel ME is an embedded processor that is part of every Intel Platform Controller Hub (PCH) and runs its own full fledged OS. Think of it as an extra computer within your computer that runs its own firmware. You cannot choose not to have the ME — it comes part of every Intel x86 CPU and chipset and runs independent of the main CPU and the OS. It can also run in the suspend (S3) power state. Therefore, the activities of the ME cannot be audited. The ME implements something called Intel Active Management Technology (AMT) that is capable of accessing any memory address unbeknownst to the main CPU. Since it runs a complete OS in itself, it can run its own TCP/IP server completely bypassing any installed firewall. The ME was originally intended as a way to allow sysadmins to remotely administer and maintain computers.

What makes it a security concern?

The ME firmware is encrypted with an RSA 2048 algorithm. Despite that, experts have found ways of exploiting the ME firmware and take partial control of the ME and thereby, the computer. As mentioned earlier, the activities of the ME are not audited as it is invisible to the OS. Therefore, any attacker employing a rootkit exploit on the ME firmware can potentially take control of the remote computer and wreak havoc without being detected. As such, the ME has garnered a reputation for being a backdoor and a potentially powerful rootkit mechanism, earning a Ring -3 vulnerability for itself. Researchers have been trying to disable the ME but due to Intel's secrecy of the code and storing it in a non-standard compressed format that needs a hardware decompressor, most of the efforts have been unsuccessful. Any attempt to tamper with the ME firmware has resulted in PCs either refusing to boot up or shutting down immediately after boot as the ME code directly affects the initiation of the main CPU. Currently available methods only serve to slim down the ME firmware but do not completely disable it. As documented by Microsoft, there is an espionage group that exploits the TCP/IP server of the AMT to remotely execute malicious code. A recent vulnerability, CVE-2017-5689, has also been disclosed necessitating the need to address the ME loophole at the earliest.

How could they disable it?

Security research firm, Positive Technologies has finally been able to fully disable the ME. They discovered a hidden bit in the firmware code, which when set to '1' disables the ME after booting up the main CPU. The bit is called 'reserve_hap' and is described in the code as 'High Assurance Platform (HAP) enable'. The HAP is a program by the NSA that lays out a series of rules that vendors should invariably stick to, in order to be approved for secure computing applications. The researchers believe that NSA's rules could have compelled Intel to include the switch as a way to ensure security compliance in institutions dealing with highly sensitive data.

What is Intel's take on this development?

Intel has been denying (obviously!) allegations that the ME could be a highly latent backdoor. The company has responded to Positive Technologies' breakthrough by saying, "In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration." What is Positive Technologies' take?