The Intel Management Engine (IME) is a component of virtually every Intel CPU released after 2008. Think of it as a CPU on top of a CPU; it does tasks separate from the main operating system while the computer is in use. Intel argues that it can be used to do remote administration tasks, although the likes of the EFF have long argued that having a “black box” that can control networking and hardware, even when the computer is switched off, represents a major security and privacy risk.
Turns out they were right. Security firm Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed-out details of the attack are yet to be known, but from what we know, it’s bad.
— Maxim Goryachy (@h0t_max) November 8, 2017
Essentially, the IME is linked to JTAG (Joint Test Action Group) debugging ports. USB ports also use JTAG. For this attack, Positive Technologies figured how to bridge the gap, although as previously mentioned, they haven’t gone into specifics of how. Yikes.
Fortunately, this particular attack vector only affects Skylake and above CPUs, although, like I said, pretty much every Intel CPU released after 2008 includes the Intel Management Engine.
This isn’t the first time that researchers have uncovered substantial security issues in the IME. This time around, the main issue is that it’s exploitable via USB, which is a common attack vector. The Stuxnet malware, for example, which was credited with temporarily interfering with Iran’s nuclear program, was initially spread via infected USB sticks deliberately dropped on the ground.
Here, we can perceivably imagine an adversary gaining “godmode” on a computer by using the same tactic — because, let’s face it, if someone finds a flash drive on the floor, they’ll probably plug it in.
Frustratingly, it’s impossible to remove the Intel Management Engine entirely. It’s a physical component, baked into the heart of your computer’s CPU. It is, however, possible to switch out the IME’s firmware, essentially neutering it.
Interestingly, there’s growing a niche for computers without the technology. One San Francisco company, Purism, sells laptops without IME. When reached for comment, Purism’s founder and CEO Todd Weaver, said, “The Intel ME, long theorized to be the scariest of threats is no longer is just theory. Having access to any Intel machine just above hardware and lower than all software means an attacker or criminal has complete control over everything; encrypted storage, secret keys, passwords, financial details, everything on your computer or that your computer does. All the things you hoped were safe are not.”
“Purism previously disabled the Management Engine in our laptops because we knew it was only a matter of time before this theoretical threat became reality. Purism is the only company to ship laptops with the ME disabled by default, and we invest in security enhancements on our hardware, benefiting users around the globe,” he added.