Disabling the Intel Management Engine

Discussion in '[H]ard|OCP Front Page News' started by Megalith, Oct 12, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    11,274
    Joined:
    Aug 20, 2006
    Sakaki has published an updated guide for those who consider the Intel Management Engine (IME) an unacceptable security risk and wish to disable it. The IME is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs that has full network and memory access and runs proprietary, signed, closed-source software at ring -3, independently of the BIOS, main CPU, and platform operating system.

    You may wonder how this can work at all, given that the ME's code is signed. The reason is that the ME's software is deployed as individually signed modules that are signature checked only when loaded -- and they are lazy loaded. The very first module, BUP, contains the watchdog timer reset, and is left alone by me_cleaner. Once BUP has completed, the ME will either enter a “parked” state (if the HAP/AltMeDisable bit is respected) or try to load the RTOS kernel (if not). In the former, the ME is cleanly disabled. In the latter, the signature check fails and the ME effectively crashes. Either way, it is out of action from that point.
     
    captaindiptoad likes this.
  2. the-one1

    the-one1 2[H]4U

    Messages:
    2,839
    Joined:
    Jan 16, 2003
    Instructions look short and easy, I'll do this on my lunch.
     
    Nukester likes this.
  3. prime2515102

    prime2515102 [H]ard|Gawd

    Messages:
    1,355
    Joined:
    Mar 3, 2003
    Isn't there an option in the EFI to disable this? I thought I saw it somewhere...
     
  4. WetMacula

    WetMacula Gawd

    Messages:
    521
    Joined:
    Feb 18, 2011
    This does not look short and easy.

    The process we will be following is as follows:
    • ensuring you have the necessary components available;
    • locating (and identifying) the BIOS flash chip on your target PC;
    • setting up a Raspberry Pi 3 Model B ('RPi3') as an in-system flash programmer;
    • reading the original firmware from the BIOS flash chip (and validating this), using the RPi3;
    • creating a modified copy of this firmware using me_cleaner;
    • writing the modified copy of the firmware back to your PC's BIOS flash chip, again using the RPi3;
    • restarting your PC, and verifying that the IME has been disabled.
     
    Stimpy88, captaindiptoad and Armenius like this.
  5. the-one1

    the-one1 2[H]4U

    Messages:
    2,839
    Joined:
    Jan 16, 2003
    Would it be faster to just rip out the chip?
     
  6. Nukester

    Nukester Gawd

    Messages:
    975
    Joined:
    Mar 21, 2016
    I think he was joking, meaning it looked too complicated.
     
  7. Motley

    Motley 2[H]4U

    Messages:
    2,196
    Joined:
    Mar 29, 2005
    Good thing I don't have any Intel PCs, Ryzen for the win!
     
  8. Sikkyu

    Sikkyu I Question Reality

    Messages:
    2,601
    Joined:
    Jan 21, 2010
    Ryzen has these too its just named something else.
     
  9. Armenius

    Armenius [H]ardForum Junkie

    Messages:
    11,509
    Joined:
    Jan 28, 2014
    aaronspink, captaindiptoad and d50man like this.
  10. Motley

    Motley 2[H]4U

    Messages:
    2,196
    Joined:
    Mar 29, 2005
    Armenius likes this.
  11. Jim Kim

    Jim Kim [H]ard|Gawd

    Messages:
    1,765
    Joined:
    May 24, 2012
    Sneaky, you left off the /s, I like it.
     
  12. Nenu

    Nenu Pick your own.....you deserve it.

    Messages:
    17,423
    Joined:
    Apr 28, 2007
    A laser with micron targeting and precise mapping might do it.
    PCs dont work well without a CPU btw.
     
    captaindiptoad likes this.
  13. Monkey God

    Monkey God [H]ardness Supreme

    Messages:
    6,695
    Joined:
    May 7, 2007
    I never understood the purpose of these kinds of technologies besides restricting what OS you can run. If someone has physical access, even this kind of security is pointless. All it really does is restrict legitimate use and provide more opportunities for backdoors ordinary users will have no visibility into.
     
    Stimpy88, captaindiptoad and d50man like this.
  14. WetMacula

    WetMacula Gawd

    Messages:
    521
    Joined:
    Feb 18, 2011
    The purpose is likely a backdoor. Bill Binney on a Reddit AMA clearly said no PC hardware, OS, or phone is safe but I still like to make it difficult for them. I use Windows 10 at home for work and gaming but strip all the bloat out of an untouched image using the MSMG ToolKit at MDL and disable automatic updates. Run my own mail server. Unplug the PC mic when not in use. Don't buy any IOT crap. Does anyone still offer a phone with no display and no GPS or is this mandatory now?
     
    captaindiptoad and d50man like this.
  15. Uvaman2

    Uvaman2 [H]ard|Gawd

    Messages:
    1,520
    Joined:
    Jan 4, 2016
    I read a whole thing on it, long ass article, only understood partially, but it differs from Intel in quite a few key aspects that make it more secure and better implemented.
     
  16. N4CR

    N4CR 2[H]4U

    Messages:
    2,134
    Joined:
    Oct 17, 2011
    They get you with the baseband modem. This is why people put reed switches in Motorola v3is.
    Yes it is a backdoor. I was trained on IME when it first came out and asked exactly that question, as I could see zero benefits for my customers and neither any capabilities we didn't already have if required via software. Theft recovery was one of the main reasons pushed lol.
     
  17. Monkey God

    Monkey God [H]ardness Supreme

    Messages:
    6,695
    Joined:
    May 7, 2007
    10 minutes of research on Kinney and while I think his heart is in the right place he has said some really, really stupid things. His reddit AMA is pretty interesting.

    But here is a real winner from wikipedia:
    "[A]ccusations of a major Russian "invasion" of Ukraine appear not to be supported by reliable intelligence. Rather, the "intelligence" seems to be of the same dubious, politically "fixed" kind used 12 years ago to "justify" the U.S.-led attack on Iraq.[21]"

    Really? Russia didn't invade Crimea/Ukraine? OK chief.

    Anyways - we can all be very sure that all the electronics and PC goodies we have can be used and exploited by hackers or governments or whomever. Lock your shit down, disable stuff you dont need and for the love of God don't buy into the internet of spying things.
     
  18. knowom

    knowom [H]Lite

    Messages:
    121
    Joined:
    Aug 15, 2008
    So like does disabling this unneeded co-processor bring about any side benefits like less heat reduced power better overclocking stability? I'm pretty sure watchdog and IME are two of the things that windows 10 crashes a lot from and complains about when I BCLK OC too far on Skylake coincidentally. I'm rather curious it's tied to ring bus after all and isn't that what BCLK tampers with?
     
  19. bbs lm-r

    bbs lm-r Limp Gawd

    Messages:
    271
    Joined:
    Sep 2, 2010
    Here I was thinking I was slick by just never installing the driver. facepalm.
     
  20. aaronspink

    aaronspink Gawd

    Messages:
    650
    Joined:
    Jun 7, 2004
    The point is to allow a large organizations the ability to manage their computing assets. Technologies like ME are critical to just about every large scale company that uses computers. ME and ME like solutions are used on a daily basis by every large scale server provider and user as well.
     
  21. aaronspink

    aaronspink Gawd

    Messages:
    650
    Joined:
    Jun 7, 2004
    Yeah in that it basically doesn't exist in the wild so no one cares about it because the installed base is basically nil. The same argument people were making about linux before it was a popular target: see it is so secure. Post-popularity, not so much.
     
  22. aaronspink

    aaronspink Gawd

    Messages:
    650
    Joined:
    Jun 7, 2004
    Yeah, there is literally nothing there that makes it apriori more secure. Like literally everything else, they don't attack the peripheral, they attack into the core. Get control of the secure engine and you control the world. If you are trying to rely on memory encryption, the world is already broken to the point that it doesn't matter.
     
    Last edited: Oct 13, 2017
  23. kju1

    kju1 [H]ard|Gawd

    Messages:
    1,421
    Joined:
    Mar 27, 2002
    Why? It has its own MAC right? Block the MAC at the network layer from leaving your organization. Out of band devices should NEVER be exposed to the internet. Period. No exceptions.
     
  24. Monkey God

    Monkey God [H]ardness Supreme

    Messages:
    6,695
    Joined:
    May 7, 2007
    I understand that but most of these ME installs are on consumer hardware, not disabled, providing zero value and high levels of risk.