Intel ME's Undocumented Manufacturing Mode Suggests CPU Hacking Risks

Positive Technologies (PT), a Russian security company that has discovered multiple bugs in Intel’s Management Engine (ME) over the last couple of years, this week revealed more details about Intel’s “Manufacturing Mode” for ME, saying it can expose users to remote hacking. This is the second undocumented mode in Intel ME that PT has found in recent years.

Intel ME Manufacturing Mode

According to PT, Intel’s Manufacturing Mode in its processors is intended for configuration and testing of chips during manufacturing. The mode is expected to be disabled before shipping the for the same reason software's debugging mode is disabled before shipping: you don’t want hackers to gain easy access to it.

However, PT said that if the Manufacturing Mode in Intel ME is not disabled in the final product, average customers are not able to disable it because they wouldn't know about it naturally (since it's undocumented) and because the tools that can do that are not officially available. Because of that, no current software, including Chipsec, which can normally tell you about processor configuration errors at the UEFI firmware level, can see whether or not the Manufacturing Mode is disabled.

What Does Manufacturing Mode Do?

Manufacturing Mode allows for the configuration of critical platform settings, such as those for BootGuard, a technology available with Intel’s chips that can verify the boot process. These settings are stored in one-time-programmable memory (FUSEs), and some of them are called Field Programmable Fuses (FPFs).

FPFs are typically used to store platform parameters. Setting FPFs requires Intel’s ME to be in the Manufacturing Mode. As part of a two-step process, the FPFs are first stored to temporary memory and are then “burned” when the Manufacturing Mode is closed. If a system remains in Manufacturing Mode, that means the FPFs have never been initialized because the process hasn’t been completed.

If manufacturers somehow forget to set the FPFs that they need to set for their products and the Manufacturing Mode remains enabled, that could allow attackers to set their own FPFs, and, thus, control the platform.

For instance, the attackers could set their own values for BootGuard or other security features. The Intel platform would then automatically load with the attackers’ malicious code, regardless of the steps the user would take to protect their machine against malware. According to PT, the attackers' malicious code can never be removed.

Which Intel Processors Are at Risk?

PT said that newer Intel platforms that have the Manufacturing Mode enabled, such as Apollo Lake, Gemini Lake and Cannon Point, expose users to even more risk because the attackers can control not just the verified boot process, but also steal the OEM’s root key, which is used to sign all sorts of firmware on a machine.

According to PT, the Intel ME was previously located in a separate SPI flash memory region that had independent access rights for the CPU and ME, making it impossible to read or write to the ME from the CPU (main system) side.

However, Intel changed this for the latest platforms by introducing a new mechanism called “Master Grant.” A master can control a special SPI region, but it can also provide access to other masters to its own region. In other words, it would be possible to give the CPU access to regions of the ME to which it normally wouldn’t have access.

PT believes Intel introduced this feature to make it easier for the company to update ME more directly, but one could imagine this can also make it easier for attackers that control the CPU to then gain access to lower levels of the platform too.

Apple Laptops' Vulnerability

PT found that Apple’s laptops were shipping with the Manufacturing Mode enabled. After PT reported the flaw to the company, Apple fixed it in the macOS High Sierra update 10.13.5.

The security company didn't find any Manufacturing Mode issues with the Lenovo Yoga and ThinkPad laptops.

Intel’s Undocumented Modes

PT was also the first security company to reveal that Intel had another undocumented mode called the High Assurance Platform (HAP), which was developed for the NSA. The intelligence agency supposedly needed it to close off any potential vulnerabilities of Intel’s ME, which ships with all consumer and enterprise processors. However, most other Intel customers didn't get that benefit, despite the fact that consumer machines have no use for Intel ME.

Intel ME has long been criticized by privacy activists as a potential backdoor, or at least a major security loophole that attackers could one day control. Therefore, finding out that Intel had built a special undocumented mode in ME for the NSA didn’t exactly calm those fears--quite the opposite.

Since then, we’ve also learned about more ME vulnerabilities that could allow attackers to take over machines remotely. Now we've learned that Intel has kept yet another mode that could give attackers access to its CPUs secret from the public.

Intel promised earlier this year, following the disclosure of the Meltdown and Spectre bugs, that it would put security first. As we said before, it remains to be seen if Intel will actually follow through on those security promises.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • PellehDin
    AMD is looking better and better for my next build.
    Reply
  • acme64
    amd has trustzone
    Reply
  • Karadjgne
    Intel is the Big Dog on the block, has been for a while. Even had claims of 90% of the internet being run by Intel processors at one point not so long ago. Of course it's the target for such specific hacks trying to find back doors. And everyone has them, even Apple did. They are there. But Ryzen is still pretty new and is not yet fully established in business applications, won't be for a while, until ppl upgrade. That leaves Intel. Most ppl running amd are still using FX processors and haven't updated yet, and really, it's a pretty sad waste of time trying to hack an FX user. It's the same as Microsoft. Most ppl run a version of Windows, so guess who gets hacked. You can hack Linux just as easy, but what's the point, not enough users to make any real splash in the headlines.

    Amd only looks better because either hackers aren't bothering, or those that are just haven't found the security lapses yet.
    Reply
  • TCA_ChinChin
    Its a shame that intel did this, but one has to also consider AMD. Although there hasn't been specific research published or public about AMD's equivalent to ME, fact of the matter is that it exists, and thus, the similar possibilities for exploits on AMD's platforms as well. That said, it might be better executed or less vulnerable than Intel's.
    Reply
  • derekullo
    Intel ME reminds me of Windows ME.

    Automatically making it sound bad.
    Reply
  • rantoc
    So where to forcefully disable ME, its just adding headaches. No wonder why clever companies like Google is working towards that end!
    Reply
  • ein4rth
    AMD's PSP is quite different (and simpler) from Intel's ME which controls everything, networking included. And it's very simplistic to assume that vulnerabilities are not being found because "hackers aren't bothering".
    Reply
  • Christopher1
    I will be totally blunt: This should not be enabled in the damned first place on customer systems. As soon as all testing is done, a special daisy version that it is known that this functionality is disabled should be pushed out for customers.
    This is a failure in the extreme by Intel, by Microsoft, and by the computer manufacturers.

    Congress, if you are reading this? Do a hearing on this subject and lambaste those three levels of companies for this stuff.
    Reply