Intel ME – When the sh*t hits the fan :)

      Kommentare deaktiviert für Intel ME – When the sh*t hits the fan :)

You know, there is a lot of cruel stuff going on these days. Freedom is cut away in many places which in many cases is done by taking away power and control. Having full control over something means to have power and to have the freedom to use this power or not.

The Intel ME is a technological implementation of a control device. A device that takes away control and thus power from its users. Even worse it is a hidden control device of which most people are completely unaware of.

For those that do not know, the Intel ME (Management Engine) is basically a second CPU, a second computer, inside your computer. It runs software which you do not know of, which comes from sources that are completely uncontrollable by users and, worst of all, it can not be switched off or modified since the software is encrypted / signed and eliminating it turns your computer into a paper weight.

The ME can be found in most modern Core i Intel PCs. It is based on the embedded x86 Quark architecture and runs its own operating system. This system in your system is capable of accessing network interfaces, other peripherals, main CPU registers and even RAM content. The ME system is able to spy on basically everything that happens inside your computer. Worse than that by being able to access network interfaces without the regular operating system it can be used to sniff data from your system (RAM content, e.g. also passwords, program states etc.) and send it over the network without the user noticing.

The ME was originally intended as a helper for remote system management. Imagine large installations, like server farms, or large distributed installations in companies. It is marketed as an administration help so that authorized sysadmins can remotely update or even install systems, debug them etc. even when the operating does not allow any remote access anymore (maybe due to a fault or bug or a user mistake). Sounds like a good idea?

In general yes. Something like this is useful and can save many work hours for sys admins. What makes it a little fishy is that Intel did and does not release any documentation or information about the ME whatsoever. Nothing. The firmware running on the ME is a pretty huge binary blob, several megabytes and it is cryptographically signed. The keys for signature checking are hard coded into the main CPU so they can not be changed thus the ME firmware can not be changed until Intel does it – oh, did I mention that the signature keys are of course not releases as well? They are not.

One could argue, well, this is of course for “security”, Intel is a big company, they can be trusted, yadda yadda yadda. Yes, but no. first of all, like all software also the ME by definition does contain bugs. Since the ME has almost unlimited access to system internals any bug can cause severe problems. We are not talking about an application that might crash or malfunction. we are talking about a complex machinery that can easily exploit anything in your PC, also your passwords, codes, access data, keys – anything! Since we only have binaries and no documentation at all these can not be audited so we can not trust them at all – and we must not trust them either. And like it was to be expected during the past months several bugs have been found, some even pretty serious, like Intel SA-00075.

But there is at least one more thing that really makes one wonder. The ME is known to exist for some time now. There are non-US agencies that also use PCs but need to be sure that these are safe to use. Having a large chunk of software in your PC which can not be audited is per definition unsafe. For example the German BSI, the “federal agency for security in IT”, asked Intel several times if there is a way to switch off the ME or to get any other form of access to it. Intel replied “no”. But now Intel had to admit that there is an ME-off switch! The Russian security group “Positive Technologies” dug deep into the ME and its firmware and found the switch to enable what is called “High-Assurance Platform (HAP)”. This mode was explicitly asked for by the US NSA but until now Intel denied this mode to others. This HAP mode seems to mostly disable the ME at runtime, exactly what the BSI asked for and what many other security and privacy concerned users would want for sure.

So this boils down to the single final conclusion, even if it was not designed for it, and we have no reason to believe that it wasn’t, the ME can be and potentially is used as a spy tool. Worse than that the denial of way to circumvent the ME to others than the US NSA proves that Intel is silently collaborating with US intelligence agencies against foreign agencies and all users of recent Intel PC technology. This is alarming.

It makes it ultimately clear that all users of recent Intel PC technology implementing a ME must be made aware of this. And we must fight for ways to disable and circumvent it. We, the users, and our freedom are under attack and a technology (almost) monopolist is proliferating spyware technology. We must not accept this!

There are only few ways around it.

First of all there is Coreboot, a free PC BIOS implementation. Using a free BIOS we can get rid of BIOS parts that might endanger our security and only free software can be freely audited for security flaws. Coreboot can thus also use neutered init which avoids most parts of the ME firmware. We do not know enough yet to neuter it fully since parts of the ME firmware also initialize parts of the system or CPU (like DRAM timing etc.). But using tools like ME-Cleaner large chunks of the binary only ME firmware can be taken away. Now with the findings of Positive Technologies we might also be able to implement a HAP switch in Coreboot hopefully disabling the parts that ME-Cleaner was not able to get rid of.

Doing this is already hard for hardcore nerds and developers but close to impossible for regular users. Thus it needs people and companies do it for them. Currently there are almost no hardware vendors which care about these issues and ship with Coreboot and neutered ME, except for one, Purism. Their laptops now come with Coreboot pre-installed and an as neutered as possible ME, though these laptops are a little more expensive. What is the price tag for your freedom?