Disabling the Intel Management Engine

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Sakaki has published an updated guide for those who consider the Intel Management Engine (IME) an unacceptable security risk and wish to disable it. The IME is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs that has full network and memory access and runs proprietary, signed, closed-source software at ring -3, independently of the BIOS, main CPU, and platform operating system.

You may wonder how this can work at all, given that the ME's code is signed. The reason is that the ME's software is deployed as individually signed modules that are signature checked only when loaded -- and they are lazy loaded. The very first module, BUP, contains the watchdog timer reset, and is left alone by me_cleaner. Once BUP has completed, the ME will either enter a “parked” state (if the HAP/AltMeDisable bit is respected) or try to load the RTOS kernel (if not). In the former, the ME is cleanly disabled. In the latter, the signature check fails and the ME effectively crashes. Either way, it is out of action from that point.
 
Isn't there an option in the EFI to disable this? I thought I saw it somewhere...
 
This does not look short and easy.

The process we will be following is as follows:
  • ensuring you have the necessary components available;
  • locating (and identifying) the BIOS flash chip on your target PC;
  • setting up a Raspberry Pi 3 Model B ('RPi3') as an in-system flash programmer;
  • reading the original firmware from the BIOS flash chip (and validating this), using the RPi3;
  • creating a modified copy of this firmware using me_cleaner;
  • writing the modified copy of the firmware back to your PC's BIOS flash chip, again using the RPi3;
  • restarting your PC, and verifying that the IME has been disabled.
 
This does not look short and easy.

The process we will be following is as follows:
  • ensuring you have the necessary components available;
  • locating (and identifying) the BIOS flash chip on your target PC;
  • setting up a Raspberry Pi 3 Model B ('RPi3') as an in-system flash programmer;
  • reading the original firmware from the BIOS flash chip (and validating this), using the RPi3;
  • creating a modified copy of this firmware using me_cleaner;
  • writing the modified copy of the firmware back to your PC's BIOS flash chip, again using the RPi3;
  • restarting your PC, and verifying that the IME has been disabled.

I think he was joking, meaning it looked too complicated.
 
I never understood the purpose of these kinds of technologies besides restricting what OS you can run. If someone has physical access, even this kind of security is pointless. All it really does is restrict legitimate use and provide more opportunities for backdoors ordinary users will have no visibility into.
 
The purpose is likely a backdoor. Bill Binney on a Reddit AMA clearly said no PC hardware, OS, or phone is safe but I still like to make it difficult for them. I use Windows 10 at home for work and gaming but strip all the bloat out of an untouched image using the MSMG ToolKit at MDL and disable automatic updates. Run my own mail server. Unplug the PC mic when not in use. Don't buy any IOT crap. Does anyone still offer a phone with no display and no GPS or is this mandatory now?
 
Wow I had no idea, thanks for the info.
I read a whole thing on it, long ass article, only understood partially, but it differs from Intel in quite a few key aspects that make it more secure and better implemented.
 
The purpose is likely a backdoor. Does anyone still offer a phone with no display and no GPS or is this mandatory now?
They get you with the baseband modem. This is why people put reed switches in Motorola v3is.
Yes it is a backdoor. I was trained on IME when it first came out and asked exactly that question, as I could see zero benefits for my customers and neither any capabilities we didn't already have if required via software. Theft recovery was one of the main reasons pushed lol.
 
The purpose is likely a backdoor. Bill Binney on a Reddit AMA clearly said no PC hardware, OS, or phone is safe but I still like to make it difficult for them. I use Windows 10 at home for work and gaming but strip all the bloat out of an untouched image using the MSMG ToolKit at MDL and disable automatic updates. Run my own mail server. Unplug the PC mic when not in use. Don't buy any IOT crap. Does anyone still offer a phone with no display and no GPS or is this mandatory now?

10 minutes of research on Kinney and while I think his heart is in the right place he has said some really, really stupid things. His reddit AMA is pretty interesting.

But here is a real winner from wikipedia:
"[A]ccusations of a major Russian "invasion" of Ukraine appear not to be supported by reliable intelligence. Rather, the "intelligence" seems to be of the same dubious, politically "fixed" kind used 12 years ago to "justify" the U.S.-led attack on Iraq.[21]"

Really? Russia didn't invade Crimea/Ukraine? OK chief.

Anyways - we can all be very sure that all the electronics and PC goodies we have can be used and exploited by hackers or governments or whomever. Lock your shit down, disable stuff you dont need and for the love of God don't buy into the internet of spying things.
 
So like does disabling this unneeded co-processor bring about any side benefits like less heat reduced power better overclocking stability? I'm pretty sure watchdog and IME are two of the things that windows 10 crashes a lot from and complains about when I BCLK OC too far on Skylake coincidentally. I'm rather curious it's tied to ring bus after all and isn't that what BCLK tampers with?
 
I never understood the purpose of these kinds of technologies besides restricting what OS you can run. If someone has physical access, even this kind of security is pointless. All it really does is restrict legitimate use and provide more opportunities for backdoors ordinary users will have no visibility into.

The point is to allow a large organizations the ability to manage their computing assets. Technologies like ME are critical to just about every large scale company that uses computers. ME and ME like solutions are used on a daily basis by every large scale server provider and user as well.
 
I read a whole thing on it, long ass article, only understood partially, but it differs from Intel in quite a few key aspects that make it more secure and better implemented.

Yeah in that it basically doesn't exist in the wild so no one cares about it because the installed base is basically nil. The same argument people were making about linux before it was a popular target: see it is so secure. Post-popularity, not so much.
 
Last edited:
Why? It has its own MAC right? Block the MAC at the network layer from leaving your organization. Out of band devices should NEVER be exposed to the internet. Period. No exceptions.
 
The point is to allow a large organizations the ability to manage their computing assets. Technologies like ME are critical to just about every large scale company that uses computers. ME and ME like solutions are used on a daily basis by every large scale server provider and user as well.

I understand that but most of these ME installs are on consumer hardware, not disabled, providing zero value and high levels of risk.
 
Back
Top