Google Working To Remove MINIX-Based ME From Intel Platforms

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

Cue the skeptics

It seems like just a day ago, there was a Slashdot posting about this, and several highy-rated comments amounting to "naw man, there's no way this could be a problem!"

So with all the verifiable, proven news of backdoors being built-in to software and hardware over the past decade, and all the news of vulnerabilities in software and hardware that compromise systems, people say "nah, not a problem, see, you can turn it off" about this "computer in my computer." Really? It's off?

I'm not seeing reports saying "The Intel ME is off by default in consumer devices, and this is verified by researchers." In fact, I'm seeing the opposite, which says that the Intel ME is always on. Do we have any proof that the "off switch" in BIOS actually makes this feature unexploitable? Because, really, that's what I want: I want this feature to be unexploitable, and the only way I can be sure of that is for it to be disabled, for real, because I don't need this feature.

So yeah, please forgive us all if we are just a BIT skeptical about Intel ME. Forgive us if we're skeptical of spokespersons at Intel saying "There's no problem with this feature."

Re:Cue the skeptics

[thegarbz]

ME is always on, but it has many functions that do not involve any kind of remote access. By contrast the remote functions are disabled.

Now really? Are they? Well until someone can prove to me that there's some way of getting a TCP packet to fly through the internet and into an ethernet port without a second IP address, without additional MAC address, and which doesn't appear to respond to any normally routable packet on any port, I really don't care how off or on it is.

As the old adage goes: If someone has physical access it's game over. The ability to get remote access however can be verified.

Could I have a back door larger than some of he nastiest videos available on Pornhub? Possibly. I don't give a shit about it though if no one is able to get past my fence, through the maze and is unable to actually find the door.

Lots of Problems With That Statement

[Bruce+Perens]

First, not all Intel systems that are capable of it actually have the management engine software. Second, the Intel PC motherboard probably does not hold the "largest number of systems" title, that might belong to Android phones. And anyway isn't the fact that MINIX with its BSD/MIT style licensing was used for the most user-hostile system in recent time an indictment of that license? You would not see GPL software used for this, for obvious reasons, and people who use GPL should be proud of that.

Re:It's in the SouthBridge not CPU dammit

[Z80a]

The remote management tools are off by default, but you still need the chip on to run the power management software on it, or the CPU turns off in 30 minutes.
And as it is a black box, it might be doing several other tasks while doing the power management.

Re:Old news

[boudie2]

If Tannenbaum had licensed Minix as GPL instead of BSD, Intel couldn't have done this.

Re:Obvious question

[GerryGilmore]

Thank you! TFS states that "Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs" which is 100% pure, organic, dolphin-free BullShit!! The ME is NOT any part of the CPU itself, but built into the chipset surrounding the CPU. During my time there, it was limited to Xeon-level CPUs, but may be in later chipsets - I haven't kept up in a while, though I can still call out BS when I see it. C'mon /. - this is just sloppy!!

Re:It's in the SouthBridge not CPU dammit

2) It's OFF BY DEFAULT.

We don't believe Intel's claims. After the Edward Snowden revelations, after the way that an exploitable backdoor was hidden in the Dual_EC_DRBG standard, after news that Microsoft works to provide backdoors in its Windows operating system, and after government officials have insisted that backdoors must be provided, we just don't trust Intel. The ME has the potential to be the most perfect backdoor in almost every computer. And if the Intel ME is a backdoor, then most of our computers are vulnerable if anyone (anywhere in the world) learns how to exploit it.

Re:It's in the SouthBridge not CPU dammit

we just don't trust Intel.

Fair enough, but why would you trust Google?

Re:It's in the SouthBridge not CPU dammit

It is not in the CPU, but that hardly makes a real difference. I'm not sure why people are getting all pedantic about whether it is in the CPU or in some part that is always paired with the CPU to run. The ME seems to be able to make out-of-band requests to the CPU to do potentially anything (including read memory locations). Sure it may not be able to be super high performance over DMI compared to being on CPU, but it's plenty good enough to be worried about it.

Intel should be forced to pay compensation

Intel is running their software on your CPU, using electricity
which you pay for. If they do not compensate for that, they are essentially
stealing money from you, which is an offense for which they can be held liable in court.

I propose everbody with such a CPU starts sending Intel invoices.
If they do not compensate, a class action law-suit should be started.

Re:Bert64 - read what u said "we know/have no idea

[Bert64]

There's no contradiction, we know for sure it uses *some* ports but do not know what other ports it *might* use. Your notion of blocking the known ports is flawed as it may well communicate via other as yet unknown ports.

See subject: Point me to a valid reputable security community source that shows more ports being used than what I listed.

I don't need to prove that more ports are being used, you need to prove that other ports are *NOT* being used in order to validate your claim that filtering at the network layer is effective.

Monitoring in/out communique from router logs external to the PC would tell fact of what ports it used easily beyond Intel's docs.

Monitoring the network traffic only shows the communication that actually takes place, not the communication that *could* take place. We don't know if any circumstances exist in which it could attempt other forms of communication. Sure the network router could log this traffic were it to take place, but we cannot be sure of all the triggers which would make it do so. That also assumes that the device only has wired connectivity, which is connected directly to your networking equipment. If the device has any form of wireless connectivity it could attempt communication with anything that's within range.

Unless we are 100% sure of all the possible network communication the device could perform, and what could potentially trigger it, a blacklist approach at the network gateway can never be truly effective.

We don't know, and a lack of knowledge is dangerous.