Slashdot Mirror
Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com)
An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt !
I don't want to sound paranoid, but...
Given the history of this organisation, there is a possibility that the 'disable Intel ME, block the nefarious attackers' bit is a decoy.
(Disclaimer: I use a 2008 thinkpad with the SOIC-16 personally reprogrammed using a beaglebone. So maybe I'm paranoid.)
Well, if it's any consolation to you, you're never going to gain any sort of power, and nobody really wants to look at whatever is on your screen, beyond stealing your credit card number.
What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power.
"Give me 6 lines written by the most honest of men and in them I will find something which will hang him" -- Cardinal Richelieu
Seven puppies were harmed during the making of this post.
The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?
>"What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power."
+1,000,000 insightful
Not just government, NOBODY should have that power. Not governments, not businesses, not individuals. NOBODY. There are so many laws and regulations on the books, it is nearly impossible for any normal person to be 100% legal all the time. And each year it just gets worse. And that is just law- it doesn't have to be something illegal, it can just be something embarrassing to then be used as a weapon to harm or corrupt.
And even if there is some saintly person out there who thinks they never did anything wrong or embarrasing, I have news for you:
1) Anything you do can be taken out of context.
2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.
3) Nobody is that saintly anyway.
...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.
-It is by will alone I set my mind in motion.
You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.
Depending on the response you get, you can determine:
1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this processor.
2) Connection rejected or timed out, but behaviour is subtly different than other ports: Intel ME is present, but not provisioned (vulnerabilities in this state are unknown, but cannot be excluded).
3) Connection accepted, and some authentication challenge or active error message given: Intel ME is present and provisioned (mostly this is only if your network admins have licensed some software to make use of it).
The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).
"As in environments that least have no internet access, or at best are air-gapped."
The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.
Anything you did not say too. In fact these days any activity can be taken as a reason to smash your doors, put you in handcuffs and charge you with some silly crime. It seems the whole world is going this way. Even in what used to be peaceful Germany you can get that done to you now if your political opponents or some worried citizens dislike your prepping activities - 'he is evil terrorist because he has a weeks worth supply of food in his cellar' etc Seems to me that free world is as mad as the less free versions.