Jump to content











Photo
- - - - -

Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut

intel me

  • Please log in to reply
11 replies to this topic

#1 alacran

alacran

    Silver Member

  • Advanced user
  • 506 posts
  •  
    Mexico

Posted 4 weeks ago

NOTE:

This is a very risky procedure, and you may brick your PC.

 

I have just found this, and I think you should read it:

 

Source: https://hothardware....1-thanks-to-nsa

 

Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut

 

A team of researchers from Positive Technologies have dug into the innards of Intel Management Engine (ME) 11 and have found a way to turn the feature off. If you aren't familiar with ME, it's a separate processor that is tucked away inside Intel CPUs that allows companies to manage the computers on their networks. Essentially, it allows the IT team to get into your machine to fix issues or apply updates among other things. The catch is that ME 11 is essentially a backdoor leaving some concerned about potential security exploits and privacy concerns.

intl-me.jpg

That fact has left many people who use Intel CPUs and have no need for that feature unhappy that a potential backdoor is in their system. This is where Positive Technologies comes in with its discovery of an undocumented mode (to partially disable ME) and the fact that it is connected with the High Assurance Platform (HAP) program. Positive Technologies does warn people that following these steps could damage your PC.

If you want to follow the steps anyway, the researchers put the utility needed on GitHub. Once that software is unpacked, you can begin the process or turning off ME 11 with another tool the team provides, called ME Cleaner. One bit of warning is that you cannot completely turn this off. ME is part of the boot process and required for launching of the main processor.

Positive Technologies wrote, "The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards."

Intel provides motherboard makers with a tool so they can program some limited functionality for ME including a Flash Image Tool (FIT) and a Flash Programming Tool (FPT). While not provided to end users, they are said to be freely available on the internet. 

The full post by the researchers over at Positive Technologies is very technical and at it's core, the team found that there is a hidden switch in the firmware code for ME and when set to "1" it will turn off ME after the computer is booted up and the ME component in the boot sequence are no longer needed. The bit is called "reserve_hap" and is described in the code as "High Assurance Platform" (HAP) enabled, reports BleepingComputer.

The bit was reportedly added at the request of the NSA for PCs running in highly secure environments. Intel did confirm the kill switch for ME, telling the researchers, "In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s 'High Assurance Platform'program. These modifications underwent a limited validation cycle and are not an officially supported configuration."

 

alacran



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13787 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

 

The full post by the researchers over at Positive Technologies is very technical and at it's core, the team found that there is a hidden switch in the firmware code for ME and when set to "1" it will turn off ME after the computer is booted up and the ME component in the boot sequence are no longer needed. 

 

Which is here:

http://blog.ptsecuri...g-intel-me.html

(already posted yesterday, just for the record):

http://reboot.pro/to...ix-os/?p=204765

 

:duff:

Wonko



#3 IAmTheTrueMeaningOfCovfefe

IAmTheTrueMeaningOfCovfefe

    Silver Member

  • Advanced user
  • 578 posts
  • Location:In hiding
  • Interests:An investigation is underway to determine whether Trump has any ties to America.
  •  
    United States

Posted 2 weeks ago

Instead of reposting an entire article(s) verbatim, why not just link to them instead?



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13787 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 2 weeks ago

Some fresh news (INTEL-SA-00086):

 

https://security-cen...anguageid=en-fr

 

 

 

 Description: 

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.

 

Place to keep an eye on:

https://www.cs.cmu.e.../bad_thing.html

 

:duff:

Wonko



#5 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10465 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 2 weeks ago

Thanks for sharing. Really interesting material, kind of beats down the whole argument of "It can't work without it".

 

:cheers:



#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13787 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 2 weeks ago

Thanks for sharing. Really interesting material, kind of beats down the whole argument of "It can't work without it".

 

:cheers:

Yep, but the other news are that not only it is a largely undocumented and likely suitable to infection/bad use subsystem, it is also not (at the moment) usable for (legit) purposes.

 

Once seen how the new UEFi paradigm (that notwithstanding the utter stupidity of its implementation had some potentialities) is seemingly deemed to be an unused for practical purposes added layer of complexity as no programmer (with the exception of Akeo  :worship: ) is seemingly interested in writing native, useful programs for the UEFI environment, the IME could be a possible target since after all it runs Minix :w00t:

http://hexus.net/tec...uns-minix-3-os/

https://www.networkw...s-to-intel.html

 

and, being in Ring-3, has access to "everything", and of course porting to minix tools developed for *nix/Lunux should be a breeze, and the (good) Google guys are trying to do exactly that, see the linked to .pdf:

https://schd.ws/host... with Linux.pdf

 

Having available "natively" a shell and common commands with access to the hardware with the code independent from mass storage devices would represent a very useful solution for - besides multibooting - every kind of recovery processes without the *need* of booting from external media, and also an "instant on" OS of sorts...

 

:duff:

Wonko 



#7 IAmTheTrueMeaningOfCovfefe

IAmTheTrueMeaningOfCovfefe

    Silver Member

  • Advanced user
  • 578 posts
  • Location:In hiding
  • Interests:An investigation is underway to determine whether Trump has any ties to America.
  •  
    United States

Posted A week ago

If this hidden CPU is allegedly running on a different ring and is invisible to all OSes, then how are tools like MECleaner able to interact with it.  Is it truly 100% ghosted from normal OSes?  If not, then how to detect its' existence from within an OS?



#8 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10465 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted A week ago

MECleaner doesn't interact with the partition, it builds a modified partition from a given image that you have acquired and then you still have to flash back the image by yourself.

 

More details: https://github.com/c...w-does-it-work?

 

It could be interesting to run these secret UEFI partitions inside an emulator, to them make them talk with the network and check if the other CPU/OS could detect the network activity (or not). Otherwise it is a perfect stealth way to check what you are doing that no security product can reach from within the main OS.

 

:cheers:



#9 IAmTheTrueMeaningOfCovfefe

IAmTheTrueMeaningOfCovfefe

    Silver Member

  • Advanced user
  • 578 posts
  • Location:In hiding
  • Interests:An investigation is underway to determine whether Trump has any ties to America.
  •  
    United States

Posted A week ago

@Nuno: What secret UEFI partitions are you referring to? It's my understanding that this hidden CPU is literally a part of the onboard Intel CPU, there must be some code hardwired into it. And why run something in an emulator, when you can just run it real/live? Emulators have purposes, but I don't think it applies here. There probably isnt anything you'll detect in an emu that can't be spotted otherwise. Maybe you mean emulating the OS of the hidden CPU itself (Minix), to try to make it act as identical as possible? No software is perfect, Intel cant foolproof it. Otherwise disabling/hindering would be absolutely impossible. The purpose of a cracker (i.e. illegal hacking) is to make the hackers (white hats) work harder to make something better. And the crackers in turn circumvent the security and it just goes on and on. One cant coexist without the other, and both depend on each other. Piracy is a perfect example. It's the classic good guys vs bad guys scenario.

 

I think maybe with a standalone firewall (hardware or software) standing between the PC with the hidden CPU and acting as the gateway to the Internet, any networking activity by the hidden CPU would be detected no matter what, if the firewall is comprehensive and configured properly. So basically, let an outsider do the inspecting instead of trying to detect from an OS installed on the same PC as the hidden CPU. This CPU most probably sends all data via known and standardized protocols.

 

In any case, this is definitely a security concern nonetheless, but I doubt Intel is doing anything dubious by issueing secret directives to the hidden CPU to transmit unknown outbound data. Except maybe if called upon by the NSA/CIA/etc specifically targeting a particular person/entity. Or perhaps maybe for business purposes (i.e. to gain a competitive edge or whatever).

 

I assume that a kernel operates in a different ring than an installed OS, each ring has its' own set of privileges, so it must be possible to detect this hidden CPU in some way.



#10 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10465 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted A week ago

The purpose of the emulator is like one of those sand farms for ants where you can see the internals in full detail.

Otherwise with real hardware you are merely looking at where the ants enter/exit.

 

Natural_History_Museum_-_ant_colony.jpg

 

The UEFI partition is merely containing the hidden files for the Minix OS.

 

I'm doubting that only the standard TCP/IP format is used for communication over that "friendly" CPU, we might be discovering even more as this topic takes the spotlight in security. Let's see.


  • wean_irdeh likes this

#11 IAmTheTrueMeaningOfCovfefe

IAmTheTrueMeaningOfCovfefe

    Silver Member

  • Advanced user
  • 578 posts
  • Location:In hiding
  • Interests:An investigation is underway to determine whether Trump has any ties to America.
  •  
    United States

Posted A week ago

@Nuno: OK, now I see why an emu might be useful.

 

By the UEFI partition, I think you mean the EFI system partition, which is typically FAT32/vfat (but not always, my FreeBSD 11 test installed created it as FAT16). If the files are in there, then they're plainly visible. The only possibilities I can think of would be for the OS to hide its' hidden files embedded somewhere within this partition but not as files/directories (kind of like how you can hide files in a partition with steganography, only discoverable by deep analysis). Or maybe they piggyback on the names of known legit files, hiding within. Only issue with the code being in the UEFI partition is that it is easily wipeable, so not persistent. A more likely location would be to encrypt and embed it in the code of the CPU/motherboard.

 

If they are using something other than TCP/IP, then it probably would have to be a protocol known only by Intel and a select few others, so very hard to detect (and not blockable by a standard software/hardware firewall).



#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13787 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted A week ago

No, the "hidden UEFI partition" is in some parts of the flash memory where the Minix is "embedded", it is a "partition on chip" (indexed through a slightly differently partition table structure than usual):

 

https://github.com/c...w-does-it-work?

 

http://me.bios.io/ME...ion_descriptors

 

:duff:

Wonko


  • Nuno Brito likes this




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users