Intel has come under fire recently for numerous security vulnerabilities found in its ME firmware. Hardware vendors are no reacting to Intel's core CPU technology been riddled with security holes by actively disabling it before it is sent to customers. Currently, three major hardware vendors are offering products without Intel’s Management Engine (ME). The vendors are either disabling ME before reaching shelves or alternatively are providing firmware updates that disable the technology.
The Intel Management technology is often criticised as being a secret operating system inside the main Intel CPU. The component operates independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components. It is feared that if an attacker were to exploit any flaw within the ME technology they could gain access to firstly ME, then gain untethered control over the entire computer.
This fear appeared to become reality when in November Intel issued a security alert announcing it was aware of several flaws affecting ME and other core Intel CPU technologies. The flaws impacted not only ME but also Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE). The flaws are believed to be severe enough to allow attackers to install rootkits on vulnerable PCs, retrieve data processed inside CPUs, and cause PC crashes.
While Intel released firmware patches for these vulnerabilities, they were not released to the general public. This was due to the belief that chipset and motherboard vendors will have to integrate the updates into their own updates. According to Intel, the following firmware versions are affected:
- ME firmware versions 11.0/11.5/11.6/11.7/11.10/11.20
- SPS Firmware version 4.0
- TXE version 3.0
This would then mean that the following products by default are vulnerable:
- 6th, 7th & 8th Generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel® Atom® C3000 Processor Family
- Apollo Lake Intel® Atom Processor E3900 series
- Apollo Lake Intel® Pentium™
- Celeron™ N and J series Processors
In an attempt to mitigate any future exploitation Intel released a tool for Windows and Linux that checks and reports if users' computers are affected. On Windows, users should run the Intel-SA-00086-GUI.exe file to view scan results.
Intel ME has not been without earlier problems. In May of this year, Intel patched a remote code execution flaw that affected ME components such as such as Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). ME has also developed an unhealthy reputation for being exploited in cyber espionage campaigns, most recently involving the PLATINUM APT.
“Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops, it is also available as a software update for previously shipped recent Librem laptops.”
Purism describes itself as a Social Purpose Corporation devoted to bringing security, privacy, software freedom, and digital independence. The company manufactures premium-quality laptops, tablets, and phones. In its recently released press statement, it admits that disabling Intel’s ME technology was not an easy process. It was possible to do as Purism maintains its own BIOS firmware update process. What is interesting is that Purism announced its decision to sell products with ME disabled in October, a month before Intel made its announcement as to the most recent batch of vulnerabilities. This decision seems to be in response to researchers previously proving capable of disabling the much-maligned technology. This has been done in an effort to improve users of their products privacy.
System76 is recognized as a seller of custom Linux PC rigs and became the second company to announce that it would be disabling Intel ME technology on its products moving forward. In the blog post which announced the company’s position, it also stated that researchers at Positive Technologies discovered the firmware to have an undocumented High Assurance Platform (HAP) setting. HAP was developed by the NSA for what it felt was secure computing.
Since July of this year, the company began the project to automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system. According to the company, they will be rolling out the updates for laptops soon. For desktop users, System76 will work on the automated delivery of the relevant updates. It is hoped by the company by taking these measures the disabling of ME will reduce future vulnerabilities. Using their new firmware delivery infrastructure will mean future updates can roll out extremely fast and with a higher percentage of adoption. All relevant information as to the rollout plan is available on the above-mentioned blog post by the company.
Dell has not come out with a statement directly stating that they have disabled the maligned technology. However, a Reddit user noticed this past week that it appears if Dell modified its online store to allow customers to buy Intel-powered computers without Intel's Management Engine. It is still unclear as to whether Dell added this option or if Dell took a similar position of the companies mentioned above after Intel notified the company. This change has been welcomed by researchers and advocates of privacy as it is felt that ME as a technology was meant for enterprise environments, and has no place on personal-use computers.
While Dell has not issued a statement describing its exact position it has in the past admitted they sell products affected by the Intel ME bugs. As a major tech retailer, Dell is not alone in this position. Acer, Fujitsu, HP, Lenovo, and Panasonic have all promised firmware updates that will fix the reported security bugs. As of yet much of the interested public is waiting to see when such updates are released.