Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.

Re:How to?

[complete+loony]

Wait for this patch to me_cleaner to be better tested?

Re:How to?

The article says to use Flash Image Tool (FIT).

So how can we set the HAP bit? We can use the FIT configuration files and determine the location of the bit in the image, but there is a simpler way. In the ME Kernel section of FIT, you can find a Reserved parameter. This is the particular bit that enables HAP mode.

Re:Thank you NSA

You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.

Depending on the response you get, you can determine:

1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this processor.
2) Connection rejected or timed out, but behaviour is subtly different than other ports: Intel ME is present, but not provisioned (vulnerabilities in this state are unknown, but cannot be excluded).
3) Connection accepted, and some authentication challenge or active error message given: Intel ME is present and provisioned (mostly this is only if your network admins have licensed some software to make use of it).

Re:is the author legitimately stupid?

The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).

Re:FUD.

[cavreader]

"As in environments that least have no internet access, or at best are air-gapped."
The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.

*ALL VERSIONS* *IF ENABLED*

In order to ensure your security the following steps are required:
- The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
- The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
- Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reader, or a Raspberry Pi configured to emulate one. Then you have to run me_cleaner on the image to strip out the unnecessary bits from the firmware. For [GQ][34]x chipsets they can strip basically everything. Nehalem/X58 is a bit less clear, although it isn't as bad as Sandy Bridge+.

However, one concern that has been overlooked in the later chipsets is the GPU as an alternative vector of attack instead of the ME. It has a similar level of memory access as the ME, newer models have similarly signed firmware and while they officially have bounded memory access it is not improbable that some undocumented feature provides a method for them to breach that.

Also as a remind for anyone using a GPGPU for cryptographic functions/temporary storage of your keys: Always make sure your cude/OpenCL program manually zeros all sensitive memory ranges before returning the thread. Otherwise there is a danger of other GPU programs finding a way to scan/access/copy/exfiltrate that information to third parties.

Or just y'know, run Windows 10. All these dangers become irrelevant since the OS can do it all for them without any of these pesky engineered backdoors.