Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.

Re:How to?

[complete+loony]

Wait for this patch to me_cleaner to be better tested?

Re:Thank you NSA

You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.

Depending on the response you get, you can determine:

1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this processor.
2) Connection rejected or timed out, but behaviour is subtly different than other ports: Intel ME is present, but not provisioned (vulnerabilities in this state are unknown, but cannot be excluded).
3) Connection accepted, and some authentication challenge or active error message given: Intel ME is present and provisioned (mostly this is only if your network admins have licensed some software to make use of it).

Re:is the author legitimately stupid?

The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).

Re:FUD.

[cavreader]

"As in environments that least have no internet access, or at best are air-gapped."
The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.