Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

4 of 36 comments (clear)

  1. Don't buy Intel if you care about security by pak9rabid · · Score: 3, Insightful

    So, between this, Meltdown, and the handful of Spectre variant bugs, I guess it's safe to say that if you value security don't buy Intel.

    1. Re:Don't buy Intel if you care about security by Anonymous Coward · · Score: 5, Funny

      Don't buy AMD either. Only fully secure way is to manufacture your own processor in Minecraft using Redstone. NSA can't spy on you then as they are still running government issued wood pick axes.

    2. Re:Don't buy Intel if you care about security by Tough+Love · · Score: 3, Informative

      From the article "it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing." Apple is the OEM, so it was Apple that wrongly configured these chips.

      Not defending Intel's notorious management engine by any means, but let's point the finger at the guilty party in this case.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  2. Fairly common by FeelGood314 · · Score: 3, Interesting

    The engineering team likes those extra options because it helps us debug things. Manufacturing likely doesn't understand it so they leave it enabled because it makes the diagnostics easier. The people who do understand it have told manufacturing at least once a month that they will have to disable it when "real production" for external customers begins but every new product launch it gets forgotten.