EFF Warns Most Of Intel's Chipsets Contain 'A Security Hazard'

The EFF is issuing a warning about the "tiny homunculus computer" in most of Intel's chipsets -- the largely-undocumented "Management Engine" which houses more than just the AMT module. An anonymous reader quotes their report: While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one....vulnerabilities in any of the other modules could be as bad, if not worse, for security. Some of the other modules include hardware-based authentication code and a system for location tracking and remote wiping of laptops for anti-theft purposes... It should be up to hardware owners to decide if this code will be installed in their computers or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user's interests, and should never be installed in a Management Engine by default...

While Intel may put a lot of effort into hunting for security bugs, vulnerabilities will inevitably exist, and having them lurking in a highly privileged, low-level component with no OS visibility or reliable logging is a nightmare for defensive cybersecurity. The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility... EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
TLDR: "We have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure."

Are AMD chips scrutinized as well?

[shoor]

I've read about security issues with Intel chips. Makes me think I should go with AMD. But then I wonder, since AMD has a smaller market share, maybe they just aren't scrutinized as much.

Does anybody really know how 'safe' AMD chips are'? This is not a rhetorical question, and I'm not advocating or editorializing, just wondering.

Feature that screams NSA tampering..

[dweller_below]

".. presently no way to disable or limit the Management Engine in general.

Now this is the feature that screams of interference by a spy agency. If this feature was for Management, then YOU COULD MANAGE IT!

It would be turned off by default. You could turn it off. You could permanently disable it. I have been asking for these capabilities for years. I know I am not the only one. When I talk to other security folks and IT admins, the majority of them want to be able to manage and control the possibility of remote management.

Re:How many hospitals have been pwned?

If this vulnerability shut down all the hospitals in the UK, you'd see some action maybe. Without a crisis, you just have some snooty security gurus gnashing their teeth, which they do all the time, right?

This is a big problem -- getting chip / system / OS designers to spend time and money to debug systems beyond what end users ignorantly are willing to pay for.

The current UK NHS issue has nothing to do with CPU, but instead with unpatched XP based systems and SMB shares.

And the NHS Trusts where provided funds a couple years ago to update/replace things... where did that money go? obviously not on IT as envisioned.

Only Some Intel Chips Included ME and AMT

Namely the vPro and selected Xeon chips that were marketed to business users at extra cost. You had to pay extra to get these features on the chip, so most chips sold to individual consumers didn't come with them.