Over the last few months, security researchers from Purism, Positive Technologies, and even Google have found ways how to disable the secretive Management Engine (ME) firmware on Intel processors. This seems to have prompted Intel to do a review of its firmware and plug most of the holes that allowed the researchers to take over the ME.
Researchers Disable ME
This year, security researchers from Purism, the maker of privacy-focused Linux-based laptops, and Positive Technologies started looking for ways to disable Intel’s ME firmware. Many privacy activists, including Purism's security researchers, worried that ME could be used as a backdoor.
The closed source proprietary model of the firmware also denies most people—except the NSA—the ability to see what it does on a computer, which means it might come with security flaws that could be exploited by sophisticated attackers.
Both of these worries prompted Google to work on disabling ME for its servers so it can be more sure that it couldn’t be exploited by attackers.
The latest major revelation around ME vulnerabilities was a recent announcement from a Positive Technologies researcher that they have achieved full takeover of ME (and therefore of the computer in question) via USB. The researcher didn’t reveal more at the time, but he’s about to present the hack at the next Chaos Computer Club conference (34C3) at the end of December.
Intel Announces Fix For The Flaw
Intel announced that it has completed a security review of its ME firmware as well as the Intel Server Platform Services (SPS) and Intel Trusted Execution Engine (TXE) with the goal of enhancing firmware resilience. The review was prompted by the latest work by “external researchers.”
Intel identified multiple security flaws in the ME firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, as well as SPS Firmware version 4.0 and TXE version 3.0. As Purism told us recently, version 11 of ME is quite different from the one Intel used before, and it also runs on a separate x86 processor, as opposed to an Arc processor like before. Versions 11 and later are available to Intel 6th-gen processors (Skylake) and newer.
The full list of impacted CPUs includes:
- 6th, 7th & 8th Generation Intel Core Processor Family
- Intel Xeon Processor E3-1200 v5 & v6 Product Family
- Intel Xeon Processor Scalable Family
- Intel Xeon Processor W Family
- Intel Atom C3000 Processor Family
- Apollo Lake Intel Atom Processor E3900 series
- Apollo Lake Intel Pentium
- Celeron N and J series Processors
As many privacy and security activists have feared, the recent flaws could allow an attacker to gain unauthorized access to ME functionality and third-party secrets protected by the ME, the SPS, or the TXE.
To determine if the recently found vulnerabilities impact your system, Intel has created a detection tool that can be downloaded from its site. The tool is available only for Windows and Linux users.
The patch meant to fix these vulnerabilities will not be provided by Intel. You will have to check with your notebook’s OEM or your PC’s motherboard maker to see if they have released a firmware update that fixes the recent flaws.
Purism told us in an email that although they need to test the new firmware, they think they should still be able to use the undocumented mode that the NSA has also been using to continue to disable the ME in their laptops, as the recent vulnerabilities announced by Intel don't seem to relate to it.