Apple Ships Laptops with Intel Management Engine Enabled

cageymaru

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,087
Apple has shipped laptops with the Intel ME or "manufacturing mode" enabled. Intel practices "security through obscurity" where corporations such as Apple have to sign a NDA before using certain software packages in an attempt to protect intellectual property. Normal users would never know about or be able to test their equipment to find out if Intel ME was left enabled from the factory. Security researchers have discovered a way to exploit Intel ME in such a way that allows attackers to change ME settings and disable security controls; which would lead to new attacks against the chip. Luckily they also have a solution for consumers to use to disable Intel ME.

So one logical question is, how can users close Manufacturing Mode themselves if the manufacturer has failed to do so? To disable Manufacturing Mode, FPT has a special option (-CLOSEMNF) that in addition to its main purpose also allows setting the recommended access rights for SPI flash regions in the descriptor.

Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even "bricking" of hardware. We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.
 
Thanks for the heads up. I checked the machine I'm using now and it has manufacturing mode disabled..
 
Intel ME is baked into the chipset. As demonstrated on other x86 motherboards, the CPU will shut itself down after 30s, if you actually, fully, disable Intel ME.

I guarantee you, that you will not be able to fully disable all components of the Intel ME.

This is a back door to all your encryption keys and more. I bet you the FBI uses this to get keys for iCloud, iPhones, and other Apple aspects.

Don't believe the hype, this isn't something you want.
 
  • Like
Reactions: N4CR
like this
BloodyIron said:
Intel ME is baked into the chipset. As demonstrated on other x86 motherboards, the CPU will shut itself down after 30s, if you actually, fully, disable Intel ME.

I guarantee you, that you will not be able to fully disable all components of the Intel ME.

This is a back door to all your encryption keys and more. I bet you the FBI uses this to get keys for iCloud, iPhones, and other Apple aspects.

Don't believe the hype, this isn't something you want.
Click to expand...
It is exactly all of those things, I wasn't briefed under NDA but instead at a hardware tech training course for a large manufacturer when it first came out, they specifically listed remote access and administration as one of the capabilities.
I asked why that was necessary and if it was a security hole back then, just like I asked my bank if the RFID credit cards were a good idea either when they came out.
Both are by design insecure, which is the sad reality of much engineering these days.
 
The thing is the Intel ME's IPKVM and other functionality, would be fabulous... _if it were completely optional_. But, since it is not, that becomes a backdoor. I see the value of it in corporate space (but even then, most companies don't take advantage of it).

As for RFID, well, you can use other cards, or destroy the RFID chip itself, and it'll still function. So not quite on the same level, but I get your point. ;)

N4CR said:
It is exactly all of those things, I wasn't briefed under NDA but instead at a hardware tech training course for a large manufacturer when it first came out, they specifically listed remote access and administration as one of the capabilities.
I asked why that was necessary and if it was a security hole back then, just like I asked my bank if the RFID credit cards were a good idea either when they came out.
Both are by design insecure, which is the sad reality of much engineering these days.
Click to expand...
 
BloodyIron said:
The thing is the Intel ME's IPKVM and other functionality, would be fabulous... _if it were completely optional_. But, since it is not, that becomes a backdoor. I see the value of it in corporate space (but even then, most companies don't take advantage of it).

As for RFID, well, you can use other cards, or destroy the RFID chip itself, and it'll still function. So not quite on the same level, but I get your point. ;)
Click to expand...

Agreed 100%.
Later found out it was optional at the time, which was good. I can turn it off on the laptop in question which the course was for ;) just like when it used to be a socketed management engine in the early days. TPM is part of the Management engine and back then basically was the consumer name for the management engine in the early days, so turning this off is probably this is quite a rare functionality. Was on a laptop motherboard that was initially built for core duos, but could also run C2D (socketed) and still disable the TPM/ME as IIRC it is not supported on the CD.
Agreed for corporate it's fine. but for 98% of users... a deliberate backdoor for letter agencies and other traitorous groups to pwn you no matter what VPN, firewall or other bullshit you are using.

ime tpm disabled.png



You're correct not all credit cards have RFID (mine doesn't but it's a bit different to most lol) and can be disabled if so.
So in that regard, modern IME is worse than even RFID cards >_>
 
No, TPM is NOT the intel ME. It is disabling the TPM module, that's it.

N4CR said:
Agreed 100%.
Later found out it was optional at the time, which was good. I can turn it off on the laptop in question which the course was for ;) just like when it used to be a socketed management engine in the early days. TPM is part of the Management engine and back then basically was the consumer name for the management engine in the early days, so turning this off is probably this is quite a rare functionality. Was on a laptop motherboard that was initially built for core duos, but could also run C2D (socketed) and still disable the TPM/ME as IIRC it is not supported on the CD.
Agreed for corporate it's fine. but for 98% of users... a deliberate backdoor for letter agencies and other traitorous groups to pwn you no matter what VPN, firewall or other bullshit you are using.

View attachment 109122


You're correct not all credit cards have RFID (mine doesn't but it's a bit different to most lol) and can be disabled if so.
So in that regard, modern IME is worse than even RFID cards >_>
Click to expand...
 
bobdabilder said:
Shocked!!!
Click to expand...

Why are you shocked you'd be surprised about what Americas greatest ally does.

BloodyIron said:
Intel ME is baked into the chipset. As demonstrated on other x86 motherboards, the CPU will shut itself down after 30s, if you actually, fully, disable Intel ME.

I guarantee you, that you will not be able to fully disable all components of the Intel ME.

This is a back door to all your encryption keys and more. I bet you the FBI uses this to get keys for iCloud, iPhones, and other Apple aspects.

Don't believe the hype, this isn't something you want.
Click to expand...

lmao, the FBI is busy arming, training and funding Isis to care about your data, the only one who has access is Mossad.
 
I welcome you to go read the endless amount of now public documentation on the topic, including independent security studies on it and how to disable it. You don't have to take my word for it, you can look it up for yourself too...

Deathroned said:
Why are you shocked you'd be surprised about what Americas greatest ally does.



lmao, the FBI is busy arming, training and funding Isis to care about your data, the only one who has access is Mossad.
Click to expand...
 
You must log in or register to reply here.
Back
Top