Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

10 of 36 comments (clear)

  1. Don't buy Intel if you care about security by pak9rabid · · Score: 3, Insightful

    So, between this, Meltdown, and the handful of Spectre variant bugs, I guess it's safe to say that if you value security don't buy Intel.

    1. Re:Don't buy Intel if you care about security by Narcocide · · Score: 2

      I've been saying that since at least 2006.

    2. Re:Don't buy Intel if you care about security by Anonymous Coward · · Score: 5, Funny

      Don't buy AMD either. Only fully secure way is to manufacture your own processor in Minecraft using Redstone. NSA can't spy on you then as they are still running government issued wood pick axes.

    3. Re:Don't buy Intel if you care about security by Tough+Love · · Score: 3, Informative

      From the article "it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing." Apple is the OEM, so it was Apple that wrongly configured these chips.

      Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    4. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · · Score: 2

      Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.

      Well, gee, wouldn't it be kinda nice if the guilty party would ship the Intel Management Engine in the "disabled" mode . . . ?

      I'm guessing that it can be disabled later . . . but the folks who know how to do that sure ain't telling . . .

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    5. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · · Score: 2

      Are you claiming that Intel didn't provide Apple with documentation on how to configure the ME?

      No, I am claiming that Apple probably knows how to disable it . . . but won't.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    6. Re:Don't buy Intel if you care about security by viperidaenz · · Score: 2

      If you value quality control, don't buy Apple.

      They left the chips in manufacturing mode, which means the one-time programmable fuses haven't been programmed. It's real OTP, as they get physically burned open.

      While you can get the CPU back to manufacturing mode, you can't re-burn the fuses.
      This isn't a security flaw in the processor if the OEM follows process. It's how security keys for signed boot and such are loaded, along with various other parameters.

      Leaving it open like Apple did allows code to re-write the ME firmware to old versions that contained vulnerabilities. This can be done because one of the OTP values is the address space of the flash memory that is writable. The default values prohibit writing to the ME firmware region.
      Closing it off and burning the fuses makes it not currently possible.

    7. Re:Don't buy Intel if you care about security by PolygamousRanchKid+ · · Score: 2

      Looks more like an oversight to me, or lack of quality control.

      In this case, they mistakenly left it in "Manufacturing Mode" . . . instead of the normal production "Enabled" mode.

      However, it is also possible to completely disable the Intel Management Engine . . . in other words, "Disabled" mode. This is the mode that government agencies run in. They don't want to leave their own backdoor open.

      This is the mode I would like to be able to set myself . . . or let the manufacturer do it for me . . . but they won't . . . take a guess why not . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  2. Fairly common by FeelGood314 · · Score: 3, Interesting

    The engineering team likes those extra options because it helps us debug things. Manufacturing likely doesn't understand it so they leave it enabled because it makes the diagnostics easier. The people who do understand it have told manufacturing at least once a month that they will have to disable it when "real production" for external customers begins but every new product launch it gets forgotten.

  3. Re:And in other breaking news by viperidaenz · · Score: 2

    That would only be news if he's ever been onstange with his fly zipped up.