System76, a vendor of Linux-based laptops, PCs, and servers, will join another Linux laptop maker, Purism, as well as Google and the NSA in disabling the Intel Management Engine (ME) firmware, which has recently been found to contain multiple vulnerabilities. Intel ME provides few to no benefits to consumer laptops, but Intel has been integrating it into all all of its chips since 2008 nonetheless.
Intel ME Vulnerabilities
The Intel ME, which includes its own processor and operating system lying underneath the user-level operating system, has long been considered by privacy activists to be a security risk. One of the reasons that led to this thinking was ME’s potential to contain a backdoor, because it was essentially a black box that can control and bypass any OS-level security protections, and also because users couldn’t gain access to it.
We’ve only recently discovered, through Positive Technologies, a Russian security firm that has been working on disabling ME, that the NSA was the only one that could disable the ME via an undocumented High Assurance Platform (HAP) mode. This undocumented mode can now also be used to disable ME by Google, Purism, and System76.
The second reason why privacy activists have been suspicious of Intel ME was that ME could contain bugs, like any other system, which could then give attackers remote access to any Intel-based machine.
This theory was proven twice already this year, with Intel having to eventually acknowledge that multiple vulnerabilities existed in ME. The company released fixes to laptop makers and motherboard manufacturers, as well as a detection tool for users. The computer companies will have to release the final patches to their users, and then the users will have to download and install those updates. Otherwise, their systems will still be vulnerable to bugs that are now public and completely known to all malware developers.
System 76 Disables ME
System76 has already been working on delivering automatic firmware patches to its customers’ devices, which works similarly to how operating systems receive their automatic updates these days. The company said that it will use the automatic firmware patch system to deliver an updated firmware with disabled ME to all of its customers’ machines that come with an Intel 6th generation CPU or newer.
System76 also reassured its customers that ME provides no functionality needed by consumer machines, so it’s safe to disable. The company warned that Intel may make changes to ME so that consumer devices can’t disable the firmware in the future, but it hopes Intel will not do that.