The Intel Management Engine (ME) is a component embedded within Intel CPUs which is separate from the main processor, BIOS and Operating System. It has been criticized for its security risk and possibility of being a backdoor for various groups, including the NSA.
In response to these claims, Intel has denied any backdoors or providing access to computing systems without the explicit permission of the end user. However, Intel does acknowledge that it sometimes explores modification or disabling certain features at the request of equipment manufacturers supporting their customer's evaluation of the US government's “High Assurance Platform” program.
To mitigate the Intel ME on their devices, the NSA has implemented a High Assurance Platform (HAP) disable bit. This was discovered by Positive Technologies experts, who confirmed the HAP disable bit with Intel. They have warned that this method might be dangerous as it was not thoroughly tested and could potentially damage or destroy a computer.
The Intel ME also has full access to memory and the TCP/IP stack, as well as being signed with an RSA 2048 key. It can send and receive network packets even if the OS is protected by a firewall, making it difficult to disable without compromising the boot-up process. Furthermore, the health of the ME firmware cannot be audited and no one outside of Intel has seen the code for the ME.
Despite Intel denying any malicious intent, many experts still believe that the ME is a backdoor and should be disabled. To learn more about the Intel ME and how to disable it, please refer to the references listed below.
Well this is uncool, but what about the HAP?
The High Assurance Platform (HAP) is a secure computing platform program run by the US National Security Agency (NSA) in coaction with the tech industry. It was designed to develop the 'next generation' of secure computing platforms, allowing secure data movement between domains. Interestingly, it was discovered that the NSA had implemented an undocumented bit called “reserve-hap” which when set to “1”disabled Intel ME. This was apparently done at the request of equipment manufacturers and customers evaluating the HAP program, and the modifications underwent a limited validation cycle.
Some PCs use Intel ME to initialize or manage certain system peripherals and/or provide silicon workarounds, which means the user may lose functionality by disabling it.
The idea behind High Assurance systems is to make claims about the system's behavior and provide evidence that it will behave as described. This is achieved through a combination of formal software verification methods, third-party expert evaluation, security testing and analysis. Typically, these systems are more constrained than traditional cybersecurity products, such as signature-based malware detection and AI-based anomaly detection. This means they can be more effectively quantified and mitigated.
The Intel Management Engine (ME) is an embedded program, which cannot be completely wiped from the system. However, it can be disabled by setting the “reserve-hap” bit to “1”. This can be done by disabling Intel Active Management Technology (AMT) in BIOS. Depending on the Hewlett-Packard (HP) model, users should go to BIOS Advanced > Remote Management Options > Active Management / Unconfigure AMT on next boot and set Intel AMT (Enabled, disabled). Some HP models require pressing CTRL+P to access the AMT Menu and set Intel ME Control State (Enabled, disabled). Once these steps are completed, the Intel ME tool will be disabled and any associated components will be uninstalled.
Conclusion, am I forked? 🤔
We'll yes and no, there is for some devices the possibility to partially disable the Inte ME. Even if this wasn't intended by the manufacturer. E.g., via Coreboot.
But the best method to avoid this would be to buy a device which is already corebootified or allows to partially disabled it from the bios. Keep in mind, this nasty son of a feature can't be disabled completely.
tuxedocopmuters.com offer some devices also puri.sm, system76 and some other vendors too.
Like to feel your pulse rising? :D
Aight open your sweet terminal mostly ctrl+alt+t
git clone --depth=1 https://review.coreboot.org/coreboot
cd coreboot/util/intelmetool/
sudo apt install -y libpci-dev zlib1g-dev
make
sudo ./intelmetool -m
And got any warnings? :D
If so…
Good, good proceed…
On Ubuntu 22.04, you can check if Intel AMT is active using the terminal. First, you need to clone the mei-amt-check repository from GitHub:
$ git clone https://github.com/mjg59/mei-amt-check.git
Once cloned, change directories into the new mei-amt-check folder and run the make command to build the program:
$ cd mei-amt-check
$ make
Next, run the mei-amt-check program with sudo:
$ sudo ./mei-amt-check
This command will output whether or not Intel AMT is enabled and provisioned on your machine. If it is enabled, the output should look something like this:
AMT present: true
AMT provisioning state: provisioned
Flash: 9.1.42
Netstack: 9.1.42
AMTApps: 9.1.42
AMT: 9.1.42
Sku: 8
VendorID: 8086
Build Number: 3002
Recovery Version: 9.1.42
If the output instead reads “Intel AMT: DISABLED”, then Intel AMT is disabled on the system.
Alternatively, you can use the Nmap tool to scan for Intel AMT. Download the script http-vuln-cve2017-5689.nse with wget or curl:
$ wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse
Run nmap against the target IP address with the script:
$ nmap -p 16992 --script http-vuln-cve2017-5689 <target_ip>
If Intel AMT is enabled and provisioned, the output should indicate that the port is open and that it is vulnerable to CVE-2017-5689.
Annotation of 2nd editor:
What about AMD, then? Well… Still forked :D
“Fun fact: AMD has similar criticism for their CPUs, their ME equivalent is called PSP. Maybe in the future I will write an article about it too.” 😉
Reference Links:
https://www.cyberciti.biz/faq/how-to-check-whether-amt-is-enabled-and-provisioned-under-linux/
https://manpages.ubuntu.com/manpages/trusty/man7/amt-howto.7.html
https://www.intel.com/content/www/us/en/support/articles/000054916/technologies.html
https://virtualizationreview.com/articles/2020/01/13/configuring-intel-amt.aspx
https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/
Citations :
- https://www.cyberciti.biz/faq/how-to-check-whether-amt-is-enabled-and-provisioned-under-linux/
- https://manpages.ubuntu.com/manpages/trusty/man7/amt-howto.7.html
- https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/
- https://virtualizationreview.com/articles/2020/01/13/configuring-intel-amt.aspx
- https://www.intel.com/content/www/us/en/support/articles/000054916/technologies.html
References: https://github.com/corna/me_cleaner/wiki/Get-the-status-of-Intel-ME
Citations :
- https://www.intel.com/content/www/us/en/support/articles/000039084/technologies/intel-active-management-technology-intel-amt.html
- https://www.partitionwizard.com/resizepartition/intel-management-engine-components.html
- https://www.reddit.com/r/thinkpad/comments/cnel4o/disable_intel_me_and_amt_thinkpad_t420/
Citations :
- https://www.ptsecurity.com/ww-en/analytics/disabling-intel-me-11-via-undocumented-mode/
- https://www.embedded.com/high-assurance-software-engineering-improves-embedded-design-security/
- https://freeandfair.us/articles/what-is-high-assurance/
- https://www.csoonline.com/article/3220476/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html
- https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
- https://www.ul.com/services/ul-cybersecurity-assurance-program-ul-cap
- https://news.ycombinator.com/item?id=15117026
- https://m.digitalisationworld.com/blogs/56054/high-assurance-security-why-should-we-care
- https://www.partitionwizard.com/resizepartition/intel-management-engine-components.html
- https://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
- https://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/
References:
https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/
https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
https://en.wikipedia.org/wiki/Intel_Management_Engine
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
https://hackaday.com/2017/12/11/what-you-need-to-know-about-the-intel-management-engine/
https://en.wikipedia.org/wiki/Intel_Management_Engine
https://puri.sm/learn/intel-me/
https://www.quora.com/Is-the-Intel-Management-Engine-one-of-the-backdoors-that-NSA-uses-to-spy-on-citizens
Citations :
- https://www.quora.com/Is-the-Intel-Management-Engine-one-of-the-backdoors-that-NSA-uses-to-spy-on-citizens
- https://en.wikipedia.org/wiki/Intel_Management_Engine
- https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/
- https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
- https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
- https://puri.sm/learn/intel-me/
- https://hackaday.com/2017/12/11/what-you-need-to-know-about-the-intel-management-engine/