Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.
Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.
Intel has always advertised Intel ME as a way for companies to manage computers running on their internal networks. Intel ME includes tools that allow system administrators to monitor, maintain, update, upgrade, and repair computers from a remote, central location.
At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices.
Because of its location, all these data streams pass through Intel ME, which in hindsight, is how sysadmins can manage remote computers.
Outside the small circle of system administrators that know how useful the component can be, Intel ME has garnered an atrocious reputation, many calling it a backdoor [1, 2, 3, 4]. This is because Intel ME's firmware is undocumented and compressed to hide its content. Intel has denied all such accusations.
Many have failed because Intel has interwoven the ME component within the boot-up process. Intel ME is responsible for the initialization, power management, and launch of the main processor.
Disabling Intel ME crashes computers. Because of this, many experts have resorted to slimming down the ME firmware by disabling as much as it can be disabled without preventing the boot-up process.
What Positive Technologies experts discovered is nothing short of miraculous, as firmware experts have been searching for a way to disable ME for years.
According to a highly technical blog post, Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") it will disable ME after ME has done its job and booted up the main processor.
The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable."
High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms.
Researchers believe Intel has added the ME disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments. ME or any vulnerabilities in its firmware could lead to leaks of highly dangerous information, hence the reason why the NSA did not want to take the risk.
In comments provided to Positive Technologies experts, Intel confirmed the HAP disable bit.
In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.
Earlier this year, Embedi researchers discovered a vulnerability in the Intel ME engine that allows an attacker to execute code on remote computers via the Intel ME component. More details about this flaw were presented at the Hack In The Box security conference that took place in Singapore last week.
With the recent disclosure of this highly dangerous Intel ME vulnerability — CVE-2017-5689 — having a way to disable the ME component is more needed than ever.
Furthermore, one cyber-espionage group has already started using other Intel ME vulnerabilities to avoid firewalls and steal data from victims.
Positive Technologies experts warn that using the HAP disable bit might be dangerous as it was not thoroughly tested. Researchers say that the methods described in their blog post are risky and may damage or destroy a computer. Users willing to make this step should do so with the help of a trained hardware or firmware expert.