Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com)

Posted by EditorDavid on from the inside-Intel dept.

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.

23 of 142 comments (clear)

  1. Permanent Netbus.exe. by Anonymous Coward · · Score: 2, Interesting

    In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect as they pleased as long as they found my IP address (ICQ advertised this to every contact back then, for example).

    And now, with as much security knowledge I've been able to collect for all these years since, my HARDWARE enables some assholes to remotely spy and watch me in real time... it makes me physically sick to think about it. I wouldn't be surprised if it turns out that anything I've ever seen on my computers is all available in some enormous data collection cave in lossless fullscreen video. All ready to blackmail me the minute I gain any sort of power...

    Some "friends" I had, who would do such a thing. People don't respect you or your privacy one single little bit.

    1. Re:Permanent Netbus.exe. by Dunbal · · Score: 5, Insightful

      Well, if it's any consolation to you, you're never going to gain any sort of power, and nobody really wants to look at whatever is on your screen, beyond stealing your credit card number.

      What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power.

      "Give me 6 lines written by the most honest of men and in them I will find something which will hang him" -- Cardinal Richelieu

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Permanent Netbus.exe. by markdavis · · Score: 5, Insightful

      >"What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power."

      +1,000,000 insightful

      Not just government, NOBODY should have that power. Not governments, not businesses, not individuals. NOBODY. There are so many laws and regulations on the books, it is nearly impossible for any normal person to be 100% legal all the time. And each year it just gets worse. And that is just law- it doesn't have to be something illegal, it can just be something embarrassing to then be used as a weapon to harm or corrupt.

      And even if there is some saintly person out there who thinks they never did anything wrong or embarrasing, I have news for you:

      1) Anything you do can be taken out of context.
      2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.
      3) Nobody is that saintly anyway.

    3. Re:Permanent Netbus.exe. by umghhh · · Score: 3, Insightful

      Anything you did not say too. In fact these days any activity can be taken as a reason to smash your doors, put you in handcuffs and charge you with some silly crime. It seems the whole world is going this way. Even in what used to be peaceful Germany you can get that done to you now if your political opponents or some worried citizens dislike your prepping activities - 'he is evil terrorist because he has a weeks worth supply of food in his cellar' etc Seems to me that free world is as mad as the less free versions.

    4. Re:Permanent Netbus.exe. by LordWabbit2 · · Score: 2

      2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.

      Exactly, and if you are found to have a single image which can be construed as child porn you are fucked.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    5. Re:Permanent Netbus.exe. by Opportunist · · Score: 2

      What's really fucked up about this is the way it's phrased, which essentially can be summed up with "it's up to the judge".

      In other words, if the judge gets a boner, you're fucked.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Permanent Netbus.exe. by KiloByte · · Score: 2

      Since the image choice is not yours, let me assure you, the image(s) that get planted won't be just borderline. Also, the police are assumed to never, ever plant such images even in cases it's widely known they hate your guts.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:Permanent Netbus.exe. by Dunbal · · Score: 2

      This is true. Tactical entry, "no knock" warrants, etc used to be reserved for known dangerous criminals. We're almost at the point now where they're busting down your door for parking tickets. Cos admit it - busting down doors is fun. The cops paid for this tactical team and equipment, and by god they are going to use it.... it's human nature. And this trend is not just in the US. I'm an expat living in Costa Rica and I was amazed the other day when on the news I saw a tactical team busting down the doors and windows of a house to get a guy wanted for.... not paying his municipal taxes. OH MY GOD what a hardened criminal! Surely he was waiting for them with "my little friend"!

      --
      Seven puppies were harmed during the making of this post.
    8. Re:Permanent Netbus.exe. by infolation · · Score: 2
      The famous Ayn Rand - Atlas Shrugged quote.

      You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted-and you create a nation of law-breakers-and then you cash in on guilt. Now that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with."

      It seems to enbody the principle of your post, but is always quoted out of context. The book talks about a different era - an industrial era - but, despite its moral defense of capitalism and the necessity of an independent mind, Atlas Shrugged's discussion of 'secret law' is directly relevant to the concept of a device that can exfiltrate an individual's life secrets to a state power.

  2. Evil Bit by Anonymous Coward · · Score: 3, Funny

    I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt !

  3. Re:Thank you NSA by infolation · · Score: 3, Interesting

    I don't want to sound paranoid, but...

    Given the history of this organisation, there is a possibility that the 'disable Intel ME, block the nefarious attackers' bit is a decoy.

    (Disclaimer: I use a 2008 thinkpad with the SOIC-16 personally reprogrammed using a beaglebone. So maybe I'm paranoid.)

  4. Re:"a much-hated component of Intel CPUs" by Ungrounded+Lightning · · Score: 2

    Because there is an alternative... not. AMD has the same shit.

    Actually it has equivalent but DIFFERENT $#!7.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. How to? by manu0601 · · Score: 3, Insightful

    The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?

    1. Re:How to? by complete+loony · · Score: 5, Informative

      Wait for this patch to me_cleaner to be better tested?

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:How to? by Anonymous Coward · · Score: 2, Informative
      The article says to use Flash Image Tool (FIT).

      So how can we set the HAP bit? We can use the FIT configuration files and determine the location of the bit in the image, but there is a simpler way. In the ME Kernel section of FIT, you can find a Reserved parameter. This is the particular bit that enables HAP mode.

  6. is it just me... by Doctor+Device · · Score: 4, Interesting

    ...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.

    --
    -It is by will alone I set my mind in motion.
  7. Baffling by Anonymous Coward · · Score: 2, Funny

    What baffles me most is that the regular consumer is not offered this option for the devices they purchased.

    1. Re:Baffling by Opportunist · · Score: 2

      Have you been on vacation the past 20 or so years?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:Thank you NSA by Anonymous Coward · · Score: 3, Informative

    You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.

    Depending on the response you get, you can determine:

    1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this processor.
    2) Connection rejected or timed out, but behaviour is subtly different than other ports: Intel ME is present, but not provisioned (vulnerabilities in this state are unknown, but cannot be excluded).
    3) Connection accepted, and some authentication challenge or active error message given: Intel ME is present and provisioned (mostly this is only if your network admins have licensed some software to make use of it).

  9. Re:is the author legitimately stupid? by Anonymous Coward · · Score: 3, Informative

    The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).

  10. Re:FUD. by cavreader · · Score: 3, Informative

    "As in environments that least have no internet access, or at best are air-gapped."
    The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.

  11. *ALL VERSIONS* *IF ENABLED* by Anonymous Coward · · Score: 2, Informative

    In order to ensure your security the following steps are required:
    - The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
    - The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
    - Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reader, or a Raspberry Pi configured to emulate one. Then you have to run me_cleaner on the image to strip out the unnecessary bits from the firmware. For [GQ][34]x chipsets they can strip basically everything. Nehalem/X58 is a bit less clear, although it isn't as bad as Sandy Bridge+.

    However, one concern that has been overlooked in the later chipsets is the GPU as an alternative vector of attack instead of the ME. It has a similar level of memory access as the ME, newer models have similarly signed firmware and while they officially have bounded memory access it is not improbable that some undocumented feature provides a method for them to breach that.

    Also as a remind for anyone using a GPGPU for cryptographic functions/temporary storage of your keys: Always make sure your cude/OpenCL program manually zeros all sensitive memory ranges before returning the thread. Otherwise there is a danger of other GPU programs finding a way to scan/access/copy/exfiltrate that information to third parties.

    Or just y'know, run Windows 10. All these dangers become irrelevant since the OS can do it all for them without any of these pesky engineered backdoors.

  12. Re:Thank you NSA by unixisc · · Score: 2

    Funny how they'd like Intel to have all that extra real estate on a chip to help them monitor the rest of us, but don't want that same capability turned on them. Sauce for the goose is ketchup for the gander!