Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com)

← Back to Stories (view on slashdot.org)

Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com)

Posted by msmash on Tuesday October 2, 2018 @09:30AM from the how-about-that dept.

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

36 comments

Min score:

Reason:

Sort:

Don't buy Intel if you care about security by pak9rabid · 2018-10-02 09:35 · Score: 3, Insightful

So, between this, Meltdown, and the handful of Spectre variant bugs, I guess it's safe to say that if you value security don't buy Intel.
1. Re:Don't buy Intel if you care about security by IVomitFatCashews · 2018-10-02 09:38 · Score: 1
  
  And if you value quality, don't read Slashdot.
2. Re:Don't buy Intel if you care about security by Narcocide · 2018-10-02 09:39 · Score: 2
  
  I've been saying that since at least 2006.
3. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 09:40 · Score: 5, Funny
  
  Don't buy AMD either. Only fully secure way is to manufacture your own processor in Minecraft using Redstone. NSA can't spy on you then as they are still running government issued wood pick axes.
4. Re:Don't buy Intel if you care about security by Tough+Love · 2018-10-02 09:52 · Score: 3, Informative
  
  From the article "it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing." Apple is the OEM, so it was Apple that wrongly configured these chips.
  Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
5. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 09:55 · Score: 0
  
  I'll trust this when you can make a minecraft processor that can run minecraft emulating a processor.
6. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · 2018-10-02 10:09 · Score: 2
  
  Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.
  Well, gee, wouldn't it be kinda nice if the guilty party would ship the Intel Management Engine in the "disabled" mode . . . ?
  I'm guessing that it can be disabled later . . . but the folks who know how to do that sure ain't telling . . .
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
7. Re:Don't buy Intel if you care about security by Tough+Love · 2018-10-02 10:15 · Score: 1
  
  Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME? But this researcher somehow knew about that configuration option? Pretty hard to exonerate Apple on this one, but I fully expect the usual social media astroturfers to try.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
8. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 10:17 · Score: 0
  
  Wow. You sure are fast to hating on Apple. msmash is that you?
  I bet you're beating off to your love of hate for Apple as we speak.
9. Re:Don't buy Intel if you care about security by AHuxley · 2018-10-02 10:19 · Score: 1
  
  But the games crave the per clock speed only Intel can support.
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · 2018-10-02 10:20 · Score: 2
  
  Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME?
  No, I am claiming that Apple probably knows how to disable it . . . but won't.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
11. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 10:24 · Score: 0
  
  Hell no! apple is never to be blamed. First rule of being an isheep.
12. Re:Don't buy Intel if you care about security by Tough+Love · 2018-10-02 10:59 · Score: 1
  
  Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME?
  No, I am claiming that Apple probably knows how to disable it . . . but won't.
  Looks more like an oversight to me, or lack of quality control.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
13. Re:Don't buy Intel if you care about security by viperidaenz · 2018-10-02 11:07 · Score: 2
  
  If you value quality control, don't buy Apple.
  They left the chips in manufacturing mode, which means the one-time programmable fuses haven't been programmed. It's real OTP, as they get physically burned open.
  While you can get the CPU back to manufacturing mode, you can't re-burn the fuses.
  This isn't a security flaw in the processor if the OEM follows process. It's how security keys for signed boot and such are loaded, along with various other parameters.
  Leaving it open like Apple did allows code to re-write the ME firmware to old versions that contained vulnerabilities. This can be done because one of the OTP values is the address space of the flash memory that is writable. The default values prohibit writing to the ME firmware region.
  Closing it off and burning the fuses makes it not currently possible.
14. Re:Don't buy Intel if you care about security by Tough+Love · 2018-10-02 11:14 · Score: 1
  
  You sure are fast to hating on Apple.
  So, according to you, suggesting that Apple made a mistake is hating on Apple? Maybe you also think that convicting a criminal is hating on the criminal?
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
15. Re:Don't buy Intel if you care about security by Tough+Love · 2018-10-02 11:22 · Score: 1
  
  Ah, I see what you're saying. Let me correct a misunderstanding: management engine configuration is designed to be impossible by anyone downstream of the OEM, which can be enforced by a variety of means including burning out fusible links. Whether Intel does actually manage to enforce that perfectly is a question for security researchers.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
16. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 11:30 · Score: 0
  
  The 68000 makes the 8088 look like it was made in the 60's
17. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · 2018-10-02 11:33 · Score: 2
  
  Looks more like an oversight to me, or lack of quality control.
  In this case, they mistakenly left it in "Manufacturing Mode" . . . instead of the normal production "Enabled" mode.
  However, it is also possible to completely disable the Intel Management Engine . . . in other words, "Disabled" mode. This is the mode that government agencies run in. They don't want to leave their own backdoor open.
  This is the mode I would like to be able to set myself . . . or let the manufacturer do it for me . . . but they won't . . . take a guess why not . . . ?
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
18. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 11:49 · Score: 0
  
  Awwww dont be jealous sweety. Im sure you are smart too.
19. Re: Don't buy Intel if you care about security by Anonymous Coward · 2018-10-02 12:22 · Score: 0
  
  Brutal. Huge liability
20. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-03 01:01 · Score: 0
  
  You kid but I was actually attending a workshop on how to etch your own transistors into silicon wafers. It's not that bad.
  If you want it small and fast, it's very difficult. But otherwise? Perfectly doable.
21. Re:Don't buy Intel if you care about security by Anonymous Coward · 2018-10-03 01:26 · Score: 0
  
  But the games crave the per clock speed only Intel can support.
  Perhaps Intel ME stands for Misogyny Engine?
22. Re:Don't buy Intel if you care about security by Plumpaquatsch · 2018-10-03 04:08 · Score: 1
  
  Apple is the OEM, so it was Apple that wrongly configured these chips.
  You do know what that means: You can now no longer claim "Apple doesn't build their own computers".
  
  --
  Of course news about a fake are Fake News.
23. Re:Don't buy Intel if you care about security by tlhIngan · 2018-10-03 05:57 · Score: 1
  
  However, it is also possible to completely disable the Intel Management Engine . . . in other words, "Disabled" mode. This is the mode that government agencies run in. They don't want to leave their own backdoor open.
  This is the mode I would like to be able to set myself . . . or let the manufacturer do it for me . . . but they won't . . . take a guess why not . . . ?
  Because users care about stuff like low power mode and suspend/sleep ability.
  Intel ME is used to actually boot the processor and perform power management (because well, you can use it to remotely control power to the computer, so it already has the ability to change processor speeds and voltage settings).
  Chances are "Disabled" mode isn't truly disabled - more like "enough to boot the processor and then spin" which will boot the processor, lock it at max normal frequency and power setting and then leave it at that with no way to alter it (because it requires ME firmware to do that and the ME subsystem is doing a "while (1);" spin, doing nothing).
  Fine for government computers where the policy is to shut down your computer at the end of the day and sleep/hibernate is disabled. No need ME firmware to write to the register that tells the power supply to turn off.
Very Interestng, but stupid by Anonymous Coward · 2018-10-02 09:54 · Score: 0

I'm surprised as anyone to read that the 486 architecture
that the Apple used supported a 'Manufacturing Mode'.
CAP === 'glided'
Fairly common by FeelGood314 · 2018-10-02 09:56 · Score: 3, Interesting

The engineering team likes those extra options because it helps us debug things. Manufacturing likely doesn't understand it so they leave it enabled because it makes the diagnostics easier. The people who do understand it have told manufacturing at least once a month that they will have to disable it when "real production" for external customers begins but every new product launch it gets forgotten.
1. Re:Fairly common by Anonymous Coward · 2018-10-02 11:13 · Score: 0
  
  We're talking about one of the biggest manufacturers of x86-based hardware here. They have shipped multiple generations of Intel ME-enabled devices and should know better. This is inexcusable. The remote management capabilities of ME are NOT new, they date back to Core 2 Duo era.
Build 8088 if you care about security. by Ostracus · 2018-10-02 10:01 · Score: 1

RISC-V, or make an 8088 out of FPGAs.

--
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
1. Re:Build 8088 if you care about security. by TeknoHog · 2018-10-02 10:10 · Score: 1
  
  RISC-V, or make an 8088 out of FPGAs.
  You can find pretty capable FPGAs today, in fact you've been able to put various RISC processors on a single FPGA for years. Unfortunately, they won't be fundamentally secure. The compilers are generally closed source, and who knows what the chips themselves are hiding.
  
  --
  Escher was the first MC and Giger invented the HR department.
2. Re: Build 8088 if you care about security. by Anonymous Coward · 2018-10-02 11:16 · Score: 0
  
  RISK-V is regarded as the next generation general CPU architecture. x86 needs to go away. It served a remarkable lifespan, but yeah, put it to pasture.
3. Re: Build 8088 if you care about security. by Anonymous Coward · 2018-10-02 17:00 · Score: 0
  
  It is all worthless and insecure unless you load your own firmware into chips you made from NAND gates that mined, smelted and refined yourself. Your better security guys automate it by training butterflies to trigger hurricanes on the other side of the planet, and compute using cosmic ray bit flips attenuated by the resultant lightening strikes and filtered by the test of the planet's mass.
And in other breaking news by Anonymous Coward · 2018-10-02 10:17 · Score: 0

And in other breaking news, Tim Cook appeared on stage at a press conference with his fly unzipped.
1. Re:And in other breaking news by viperidaenz · 2018-10-02 11:09 · Score: 2
  
  That would only be news if he's ever been onstange with his fly zipped up.
Re:Sounds suspicious by Anonymous Coward · 2018-10-03 00:28 · Score: 0

Well considering the crap apple puts out now i think they have a serious shortage of engineers. But considering its apple who would want to work there?
Please make processors w/o secret features! by Anonymous Coward · 2018-10-03 02:21 · Score: 0

I would really really like, never to findout someday, the processor in my computer had a secret subprocessor/software that bypasses any/all other security measures!