The Intel ME subsystem can take over your machine, can't be audited

Igor Skochinsky (of IDA Hex-Rays fame, among others) has been studying Intel ME for quite some time. He gave a nice talk at Breakpoint summarizing what he&#x27;d discovered (slides here [pdf]: <a href="https:&#x2F;&#x2F;github.com&#x2F;skochinsky&#x2F;papers&#x2F;blob&#x2F;master&#x2F;2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;skochinsky&#x2F;papers&#x2F;blob&#x2F;master&#x2F;2014-10%20%...</a>).<p>Among other things, he finds that ME is capable of running signed Java code which is pushed to the device. Due to the complexity and size of the Java code, it&#x27;s quite likely to have bugs.<p>ME is a bit scary partly because it&#x27;s a totally closed-source and proprietary component of your computer with full and essentially unfettered access to everything - RAM, peripherals, and network I&#x2F;O. Any bug in a publicly-accessible component would have the potential to do serious damage. For example, a bug in the network stack might make it possible for attackers to remotely own your box.

This adds a whole new dimension to &#x27;Intel Inside&#x27;. It says exactly what anyone needs to know.<p>If it&#x27;s for enterprise features as &#x27;innocently&#x27; suggested that those who do not need or want this feature should be able to put it off simply without drama, debate or discussion.<p>Its not surprising that both AMD and ARM have it. This is an orchestrated effort signifying the win of paranoia and security over privacy in the western world.<p>This war is being fought on too many fronts by well resourced and paranoid security agencies with all the tools to influence and the only defense would be individuals and our sense of right and wrong. But it seems individuals have been completely disempowered and reduced to survival mode and are not in a position to stand up for the right thing or even talk about it.<p>If &#x27;moral&#x27; individuals can so easily be quietened in well off economies then one wonders what happens in other economies where basic survival is a day to day fight. Who will fight the privacy war? The silence is deafening. It seems all the activism and racket from media, academics, NGOs and human rights organizations only come into play when a western political or strategic objective needs to be met.<p>There are many who believe that by working with and supporting security agencies they are somehow in the forefront of a nebulous fight of survival and freedom in a dark world. This &#x27;dark world&#x27; is a self created and self serving fantasy and comedy for grown, well adjusted and well read individuals to fall for that push humanity into a negative space.<p>It can be taken for granted unless conclusively proved otherwise with the burden of evidence swaying the other way that any technology coming out of the USA and Europe is compromised completely and the fight for privacy here has been lost.

Joanna Rutkowska has written a nice paper on the topic, highly recommended: <a href="http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;papers&#x2F;2015&#x2F;x86_harmful.pdf" rel="nofollow">http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;papers&#x2F;2015&#x2F;x86_harmful.pdf</a><p>Edit: There&#x27;s also a talk from 32c3 for those more inclined to watch a video. I am pretty worried ever since I watched that: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=rcwngbUrZNg" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=rcwngbUrZNg</a><p>(which is why I have researched non-Intel laptop alternatives..cliffnotes: GPUs without BLOBs are hard to find and there will be some severe tradeoffs which is expected)

And this is why monopoly of one giant monolith is bad, in any area or case! They get to the whatever the f they want! It&#x27;s not like everything is made today to track, and give access to &quot;authorities&quot; when they want it. But what really drives me mad is that I feel tricked! You put trust into someone and it&#x27;s work, and give them money for that, but they do this, without you even knowing.<p>I was always making fun of sworn GNU guys, always thought they were overblowing things out of the context. But maybe they were on the track! Anyhow, I want more competitive CPU space, we need AMD to get back into game, IBMs Power9, ARM, anything. But as things are standing right now, we won&#x27;t see that anytime soon.

It may be, that Intel didn&#x27;t plan this as an NSA&#x2F;XYZ back door - but it doesn&#x27;t actually matter. What matters is that we know 1) Intel has such technology implemented in allmost all desktops&#x2F;servers currently running 2) you can access those machines remotely (even over GSM) and perform reads&#x2F;writes.<p>Example misuse: somebody can put illegal stuff on your machine and then sue you...<p>(Intel has marketed this feature for big companies so they can format the HDD remotely over GSM in case laptop was stolen.)

Very naively, I wonder what happens if you just call Intel and complain about this. Say you want a way to remove the ME completely. They won&#x27;t help you, but I wonder how they will justify making it compulsory if pressed.<p>Now if I call them, I wouldn&#x27;t reach anybody important. But surely there are a couple of people on HN who are lawyers, CEOs, with the government etc.? If you have an imposing job and a few minutes to spare, I&#x27;d like to see what Intel has to say about this.

I wish the European Commission study this problem and if found guilty impose a fine in such a way and quantity that in no way those firms can continue exposing their clients to possible economic damage.<p>The previous imposed fine was of EUR 1.06 billion.<p>Someone with the required knowledge should submit a detailed record of this potential hazard to the European Commission emphasizing how this system could expose clients to possible threats, its anticompetitive nature, since it could allow hackers gain access to economic secrets, and many other important points.<p>The FSF should stand up and speak clearly. I hope and wish that the FSF execute its mission, that is to gain and gather the necessary strength to expose the nature and extend of these problems and how to fight against them.<p>Those that impose on us tools that allow them to control our business, steal our ideas and plans, and ruin our enterprises plaguing with chaos. Those that thrive to submit our future to their will should be fined.<p>I certainly hope that a new economic fine be imposed. That initiative and measure would set up a strong message and a new precedent targeted to those threating our liberty and economy. A message encoded into an economic hammer with the power to make them shape their will to respect our freedom and integrity.<p>To be Free and Survive we should Fight. FSF.

I&#x27;m very surprised that no-one on HN has talked about their experiences of using AMT for enterprise IT management. Aside from the security problems, I&#x27;ve personally never encountered or seen it&#x27;s use, which makes the ME&#x27;s inclusion (on all chips, for about 6 years) seem like an odd decision from Intel.

No doubt various three-letter agencies are having a field-day with this right now.<p>Hopefully a robin-hood type will reverse-engineer the blob and post a permanent fix to disable this thing before a more nefarious person&#x2F;group uses it to devastate the PC landscape with something even worse than bitlocker.

Why can&#x27;t Intel implement proper security and open up this blob to begin with? Not opening it and not allowing to disable it, suggests it&#x27;s intended for something sinister.

Nice breakdown of how ME works, but nothing new here.<p>Still, I&#x27;m glad I hold on to a ton of older, pre Core i-series Intel machines, AMD machines, and ARM boards. If ME is ever truly compromised at least I have a fallback or three.

The fact that the ME microcontroller can run arbitrary Java code, uploaded at runtime rather than read from ROM is pernicious. The intel private key can sign any blob, and ME would run it.<p>It makes me wonder, could an Java program uploaded to ME crash it or put it into an infinite loop? What would the effect be on the host OS if ME suddenly became unresponsive?<p>Perhaps a &quot;Kill ME&quot; binary could be developed as open source, and perhaps we could get Intel to sign it? If there was a strong enough request to Intel by consumers, why wouldn&#x27;t they go ahead and sign it for us? No skin of their noses what we do with our consumer-grade boxes, right?

While that article is correct, it&#x27;s full of FUD with the constant littering of &#x27;secret&#x27; and &#x27;take over&#x27; in the text.<p>We already know about Igor&#x27;s research and the published ARC CPU reverse engineering, &quot;Ring -3&quot; rootkits and the DEF CON presentations. This is bad, and this needs even more reverse engineering so at some point we might add an &#x27;open&#x27; replacement for the required ME functions and run it together with say, LibreBoot&#x2F;CoreBoot.<p>I wonder why there haven&#x27;t been any NDA ME or ARC docs leaked yet, even some of the Broadcom SOCs had those leaked and via cleanroom design proper FOSS drivers for some of the wireless parts were created... this should be possible with the Intel ME as well. Hell, even a FOSS version or at least partially reverse engineered and modified version of laptop EC firmwares have popped up on the &#x27;net.

The thing about scale is that it doesn&#x27;t look like ordinary individual experience. It ain&#x27;t enough to run Core2&#x2F;\Piledriver&#x2F;\Power&#x2F;\open source microcode: ME enabled computers are connected <i>en masse</i> to the network. The choices are air gap or head in the sand. ME was inside before Snowden.<p>Google, Facebook, Amazon, Ebay, Microsoft,, 百度 etc. buy Xeons by the bucketful. They&#x27;re Intel&#x27;s customers that matter. The retail box that comes with a fan for sale at NewEgg is just exhaust fumes. 42 or &quot;It&#x27;s the cloud&quot;: take your pick. Managing a gazillion server data center by hand just ain&#x27;t practical.<p>Intel&#x27;s customers that matter replace CPU assets on the IRS&#x27;s three year depreciation schedule. It&#x27;s why this [0] and why ME. Security by obscurity isn&#x27;t so bad when dumping the vulnerable subsystem lowers overall costs for other reasons [performance boosts and lower power consumption].<p>ME is a good reason that Microsoft has been striving toward multiplatform. It no longer has such a big say in Intel&#x27;s roadmap. Yes UEFI and the Windows 10 upgrade process kinda suck, but Microsoft ain&#x27;t pwn&#x27;ing anyone&#x27;s computer because Intel already pwn&#x27;d it. ME going sideways at scale would hurt and Microsoft would be the handy victim.<p>There&#x27;s a strategic reason Apple is making it&#x27;s own chips.<p>[0]: <a href="http:&#x2F;&#x2F;www.techspot.com&#x2F;review&#x2F;1155-affordable-dual-xeon-pc&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.techspot.com&#x2F;review&#x2F;1155-affordable-dual-xeon-pc&#x2F;</a>

If you get a microscope and manage to peer into this secret hidey hole in the CPU you will see a bunch of tiny little NSA spooks, Russian and Chinese hackers scuttle away to hide in other dark hidden secret corners of the Intel CPU.

I think at this point pretty much anything on your PC is backdoorable. I can&#x27;t think of a single device in my computer that doesn&#x27;t respond to &quot;magic I&#x2F;O packets&quot; which are undocumented (obviously) and prone to bugs (possibly).<p>Gaming mouse? Yeah send some I&#x2F;O packets and you can change the DPI, USB update rate, whatever. A write-protected USB device? Uh-huh, send some magic-packets to the controllers to reset it&#x2F;format it&#x2F;whatever (Recently did this with one of those Dell USB Mentor Media drives that they ship the OS on). Access point? Yeah, send some magic packets and you can set the password&#x2F;SSID&#x2F;whatever. Hard Disk? undocumented SATA commands allows for reprogramming. This is just the &#x27;easy&#x27; way, without going into JTAG and other diagnostic interfaces.

I think this is time for AMD or IBM&#x27;s POWER8&#x2F;9 to step in. If anything a little good PR vis-a-vis the &quot;rootkit nightmare waiting to happen in your server&quot; would be nice.

FWIW, there is a petition for Intel to release an ME-less CPU design: <a href="https:&#x2F;&#x2F;puri.sm&#x2F;posts&#x2F;petition-for-intel-to-release-an-me-less-cpu-design&#x2F;" rel="nofollow">https:&#x2F;&#x2F;puri.sm&#x2F;posts&#x2F;petition-for-intel-to-release-an-me-le...</a><p>(as mentioned in a comparable thread five days ago: &quot;Intel and ME, and why we should get rid of ME&quot; (fsf.org) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11880935" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11880935</a>)

Where can people go if they want a fully-libre machine and are willing to sacrifice x86?

When it comes to hardware backdoors, one particular case seems to keep popping up in my mind, and that is Bill Hamilton of the infamous Inslaw&#x2F;Promis octopus debacle. A few years ago when I was on Scheiers blog regular, he was claiming they had prearranged the backdoor installation at the silicon manufacturing level...<p>Something about that has never left my mind, and I suspect its generally correct. Heres hoping that power8 workstation Talos gets off the ground...or some risc equiv.

I find people freaking out about this extremely strange.<p>AMT is Intel&#x27;s equivalent of IPMI. It is a non-standard implementation of it, and does not follow any of the relevant specifications. It does not integrate into most server management platforms.<p>AMT costs extra. Most mobos do not have it enabled as you have to pay Intel&#x27;s tax on it, even if some of the hardware to enable it is in every northbridge.<p>A motherboard <i>must</i> implement it to be available. Most of the motherboards we own don&#x27;t have it enabled. You cannot &quot;break into it&quot; if AMT isn&#x27;t available on your motherboard to begin with.<p>Not all ME chips can run it due to Intel&#x27;s requirements.<p>Now, is the ME chip a threat? Possibly, not not as much as your cell phone&#x27;s baseband modem is. The baseband modem can talk to outside networks, ME can&#x27;t unless it is paired with a NIC it can talk to (Intel does not require mobos that have this; and generally, motherboards meant for AMT ship Intel NICs, but not always).<p>Without AMT, the only thing the ME does is implement management functions that allow you to actually boot and use the machine.<p>In the article, it says &quot;Personally, I would like if my ME only did the most basic task it was designed for, set up the bus clocks, and then shut off,&quot; except it is kept running so you can properly sleep and wake up your machine, and also be able to change CPU frequencies at run time (IE, idle the cpu), and also provide access to the sensors on the motherboard.<p>In addition, the ME handles Intel Smart Connect, which is also not available on all boards (Apple uses this to implement Power Nap). It also requires licensing, the same way AMT does, and may mobo manufs simply don&#x27;t want to license it.<p>ME does not connect to the network if it doesn&#x27;t have a payload that is able to do so (AMT, Smart Connect).<p>The reason people don&#x27;t understand what ME is for is because all of the basic tasks the ME does used to be done by lots of custom hardware, much of it not provided by Intel and different on every board, and somewhat a bit of a driver nightmare.<p>I don&#x27;t like standing up for Intel, but anti-ME articles that continually bring up AMT as if all computers have it is FUD. Very few computers have AMT, very few computers implement this OOB access, very few computers <i>can</i> implement AMT even if Intel let you purchase licensing for it after purchasing the hardware.<p>I&#x27;m not saying that ME is not a security hazard (it can be in some cases), but it isn&#x27;t some ultra awesome NSA backdoor bullshit. Your phone, however, <i>does</i> have the NSA backdoor.

Almost makes you want to get a Lemote Laptop like Richard Stallman.

Taking another angle: What if the computer&#x27;s owner wants to use it to access her computer remotely? Are there some instructions how to do this? Is it feasible?<p>If not, then there seems little justification to have a relatively new feature like this turned on by default. Who is this feature really for? If it&#x27;s not for all users then why is activation mandatory in CPUs after Core2?<p>I mean, if ME has to be active, then the computer&#x27;s owner should be able to use it, right?

Serious question: are AMD chips a viable alternative (from a security standpoint)? I hear their new Zen chips are coming soon.

Previously:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10458318" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10458318</a> (233 days)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11422531" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11422531</a> (73 days)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8813029" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8813029</a> (534 days)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11880935" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11880935</a> (5 days)<p>Among many, many others...

Thats crazy talk, in what world is it ok for my cpu to run a tcp stack on its own?

My question is whether alternatives are secure, such as AMD or ARM? I imagine the ARM architecture to be too scrutinised and low power to get away with that sort of thing?<p>Personally I want to buy a laptop that is secure due to travelling to questionable places, I am wondering now whether it will include an Intel CPU in light of this.

The real question is what the firmware can be convinced to do remotely. Probably most of the things in here.[1] Remote management is supposed to be listening on TCP ports TCP 623 for HTTP and 664 for HTTPS.<p>[1] <a href="http:&#x2F;&#x2F;www.dmtf.org&#x2F;sites&#x2F;default&#x2F;files&#x2F;standards&#x2F;documents&#x2F;DSP0232_1.1.0.pdf" rel="nofollow">http:&#x2F;&#x2F;www.dmtf.org&#x2F;sites&#x2F;default&#x2F;files&#x2F;standards&#x2F;documents&#x2F;...</a>

I still don&#x27;t understand why this ME feature has been created to begin with. Assuming that breaking it is a matter of time (someone clever enough thinking about it for long enough), it seems like a serious security vulnerability, worse still because an attack is undetectable.<p>Why create it in the first place? Are the enterprise uses the article mentions worth the risk?

Can someone tell me if people have actually spotted the Intel ME doing unauthorized communication?<p>I imagine it should be easy to spot in any network firewall log (note I said network, not OS), and in reality, if it&#x27;s never been observed to communicate with the outside world without explicitly being told to then do people really need to worry?

Amusingly, the ARC core in the Intel ME is a descendant of the SNES SuperFX chip.

Strange that Intel gives people more reason to go to other processors like ARM when Intel is under such pressure from competition.

I wasn&#x27;t aware about Intel ME until recently bought a brand new Lenovo ThinkPad and saw the &quot;Intel Management Engine&quot; on BIOS&#x2F;UEFI boot menu.<p>The thing is: how can I configure this ME thing in order to avoid (or minimize, at least) possible attacks?

<a href="http:&#x2F;&#x2F;www.tomshardware.co.uk&#x2F;vpro-amt-management-kvm,review-32283-7.html" rel="nofollow">http:&#x2F;&#x2F;www.tomshardware.co.uk&#x2F;vpro-amt-management-kvm,review...</a><p>jesus wept, how do I turn it off?

Has anyone on here actually used this at work?

I knew about ME, but I didn&#x27;t know it had an ARC processor in it. Odd that Intel didn&#x27;t opt for an in-house design, like one of their older cores backported to a newer process. (like a P54 or 386).

Best way to deal with issues like this, make them care. How? we need to get this message to the masses, to get enough people know about this potential issue, that it becomes an organisational issue for Intel.

I would use thunderbolt as it has DMA, create a CRC&#x2F;F(x) cpu (external unit connected thru thunderbolt) that converts&#x2F;encrypt code&#x2F;data to a expected format by modified code generated by a compiler. making act the intel cpu as surrogate to it, delegating control to the CRC&#x2F;F(x) cpu.<p>Extra points, make all the cpus work, and create extra tasks to run at the non used cpus to obscure the actual process running (yeah I know it&#x27;s not energy efficient but someones has to give Intel inspiration to improve).

One thing, OK, so we have this super fantastic network enabled Java platform running autonomously from within around 3 billion devices across the globe since 2006 with the capability to read everything from the systems they are running completely unnoticed.. shouldn&#x27;t this generate a FAIR amount of network traffic (and resulting suspicious log files, if not on the computers then on the routers) or am I missing something here?!

Oh my god it began with the oems installing a bunch of spyware on the default install. Many of which with vulnerabilities. Not to mention &quot;modern&quot; OSes not respecting users privacy. To make matters worse the hardware companies decided to follow suit and thus added unwanted and compromising features to everyday systems. Way to go! It seems I&#x27;ll have to switch to stone age hardware just to have a little peace of mind. Evolution! &gt;(

Does this apply to Macs?

Finally, the ME is getting the exposure it deserves. Seems like just two weeks ago nobody knew it existed.

It&#x27;s probably safe to say that every device you own or ever owned has a back door, intentional or not. The false sense of security people had about their machines was a myth, glad to see it finally die.

Once a malicious 3rd party gets the keys to this kingdom it is game over.

Maybe I missed it in the article, but why is this only present on x86 chips? How do 64-bit processors from Intel offer the same management functionality without this ME subsystem?

What about AMD?

Yo dawg...