NordVPN

The Intel Management Engine – a Privacy Nightmare

Douglas Crawford

Douglas Crawford

January 4, 2017

Every modern processor made by Intel contains a backdoor known as the Intel Management Engine (IME). This is an isolated and protected coprocessor that is embedded in all Intel chipsets that are newer than June 2006.

This includes all desktops, servers, ultrabooks, tablets, and laptops with the Intel Core vPro processor family. It includes the Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.

The Intel Management Engine is Really Rather Scary

This closed source non-auditable subsystem can:

  • Access all areas of your computer’s memory, without the CPU’s knowledge.
  • Access every peripheral attached to your computer.
  • Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not.
  • Run remotely even when your computer is turned off.
  • Enable a remote user to power on, power off, view information about, and otherwise manage your PC.
  • ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include a DRM application called “Protected Audio Video Path” (PAVP). This allows a remote user to access everything that is shown on your screen.

If your PC uses an Intel chip, then it does not matter which operating system you run. As Brian Benchoff notes in a Hackady blog post,

Own the ME and you own the computer.”

Terrifying as this all is, it gets worse. The AMT application (see below) has known vulnerabilities, which have already been exploited to develop rootkits and keyloggers, and to covertly gain encrypted access to the management features of a PC. As Libreboot notes in its FAQ,

“In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely.

Until now, the only way to do this has been to avoid all generations of Intel hardware newer than ten years old! Unfortunately, opting to use a non-Intel processor does not get you very far…

Non-Intel Chips are Not Safe Either!

All post-2013 AMD chips contain a Platform Security Processor (PSP). Implementation of this is very different from that of Intel’s IME, but it does a very similar thing. It also comes with all of the same basic security and freedom issues as the IM.

Android and iOS devices, on the other hand, all ship with an integrated proprietary chip known as a baseband processor. It is well known in security circles that this can effectively act as a backdoor

So What Exactly is the Intel Management Engine?

The IME is the hardware component of Intel’s Active Management Technology (AMT). It is designed to allow system administrators to remote-access PCs in order to monitor, maintain, update, upgrade, and repair them.

Intel Management Engine (IME)

Other than its capabilities, very little is known about the IME. This is thanks to the fact that it is closed source and secured with an RSA-2048 key. As previously noted, the AMT application has known vulnerabilities, although the IME hardware component remains secure… for now. As Benchoff notes,

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.”

With regard to criminal hackers, it is very much a case of when, not if the hardware is cracked. Furthermore, criminal hackers are only one threat to be concerned about.

System administrators gain access to AMT features using cryptographic keys. These could be stolen or handed over to the authorities on receipt of a subpoena, court order, national security letter, or suchlike.

Indeed, given what we know about its close connections with the US technology industry, it would be fair to assume that Intel has simply provided the NSA with the certificates and cryptographic keys necessary to access any and every chip it produces. Again, this is very scary!

How Do I Disable the IM?

Until very recently, it has been impossible to disable the IM on most systems that the use Intel Core 2 series of Intel chips or newer (2006 and onwards). Any attempt to disable the ME firmware on a chip that includes the IME would result in the system refusing to boot or shutting down shortly after booting.

A technique was developed for removing the ME from GM45 chipsets (Core 2 Duo, Core 2 Extreme, Celeron M). It worked, however, because the ME was located on a chip separate from the northbridge.

This technique does not work for Core i3/i5/i7 processors, as the ME is integrated to the northbridge. It is possible to disable key parts of the ME on these chips, but this has always resulted in the PC shutting down after 30 minutes, when the ME’s boot ROM (stored in an SPI Flash) failed to find a valid Intel signature.

Just recently, however, researcher Trammell Hudson found that if he erased the first page of the ME region (i.e. ‘the first 4KB of its region (0x3000, starts with “$FPT”‘) of his ThinkPad x230, it did not shut down after 30 minutes.

This discovery led other researchers (Nicola Corna and Frederico Amedeo Izzo) to write a script that takes advantage of this exploit. Note that this script does not completely remove the ME per se, but it does in practical terms disable it. Benchoff observes,

Effectively, ME still thinks it’s running, but it doesn’t actually do anything.”

The script is known to work on Sandy Bridge and Ivy Bridge processors, and should work on Skylake processors. It may work and Haswell and Broadwell processors, but this has not been tested.

Removing the Intel Management Engibe

Unfortunately, using this script requires serious tech chops. It requires the use of a Beaglebone, an SOIC-8 chip clip, and some loose wires. It also requires a lot of nerve, as there is a serious risk of bricking your processor!

Nevertheless, this is an important development that allows those determined enough to (effectively) remove the backdoor that exists in pretty much every modern processor.

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

8 responses to “The Intel Management Engine – a Privacy Nightmare

  1. unfortunately intelligent people are rare ; few countries are collecting this resource and support it (Russia e.g.).
    unfortunately the process involved in the development does not depend on an idea : it is a technical problem.
    unfortunately the person who are working on the IME (official or not) do not wish repair, open, erase, replace or change a component, a file, a function.
    They are doing ‘reverse engineering’ & testing for complying with the principles of the free software foundation.

    In the period of Da Vinci,there were different school like today :
    some do want offer free alternatives (FSF e.g.), another should wish that the IME be, with a GUI, set by the owner and not by the seller (INTEL/AMD/longson), personalize the function (anti-thief e.g.) for their personal usage, be not any more implemented as hardware embedded.

    It is a sophisticated product which the cost is high made for being a part of a group on a large scale not for a personal usage (you cannot filter or separate or create something : the program is static but the operator could run it in a dynamic mode (god) : it is a sub-system).

    Your idea is interesting : if the processor is made in a restrict mode (running as a processor and nothing less) you could add in a ROM/flash some functions as sub-system like tor, your certificate, a secure boot, an encrypted file, a secret register/file , a virtual private space, a firewall etc. But all that should have to be put on your mother-card in a separated area and be managed, tweak, replace, set, being in connection with the processor but not be a part of it.
    Maybe this back-door will be forgotten soon ; a safe processor from china or another area (space research e.g.) could solve that by an international open mind and an industry closer of the user.

    1. Hi nine,

      I am sure the IME is genuinely useful for many users of corporate networks. I have no need for it as a private user, however, and should be able to have full control over my system that I purchased.

  2. just off the top of my head without in depth though/critically thinking, in theory, if the IME is “bridged” (for lack of better word) to the main core (seeing as tho the computer can run for 30min apparently just fine before auto shutoff) then would one be able to figure out the primary fundamental spying agent it uses to, say, feed it the info…or if it doesn’t use something to feed it and it actually monitors all things processed individually, then would one be able to find the link from it to the outside world and do something to hinder it’s ability to talk to it(of course using that same hindering method for the former also)???
    like for example, when i would get a stubborn virus that no anti-whatever could get rid of, i would boot into safe mode with no networking, locate the virus (or if i knew where it was already from anti-whatever programs but it kept coming back), rename or relocate a main or many files it relied on or go into the actual file and delete huge swaths of anything that was in it(or the entire file contents but keep the file there and blank). then i would boot the computer up like normal and run the anti-whatever, it would detect it all again and be able to completely delete it after that. sometimes when it was embedded deep enough, i’d repeat that same process, get deeper into the virus to the point where i could totally disable it or completely delete it.

    just off the top of my head from using that method in the past(now smart enough to avoid them or to stop them before they can burrow too deep), you think one would be able to use a similar method to disable it’s connection to the outside world? or disable it completely or completely from spying yet still able to remain there for the computer to verify w/e it needed so it wouldn’t be able to either spy or send spied/collected information off – yet still allow the computer to avoid any auto shutoff due to enough remaining to allow verification(but obv not enough to spy or send info off to a server)?

    OR

    is the IME a bottleneck for any and all processing/interaction with anything with the computer? if everything was forced in a bottleneck through the IME, then i’d assume it would either be pretty difficult or impossible to prevent it from doing any dirty deeds….i guess maybe unless you have a completely separate machine with a program that catches any and all packets of info passed through it and someone was able to identify the specific packets of info going to specific ip’s and made that info public so people could set up their own system and block sending and receiving any kinda info/connection to those ip’s.

    but these are just off the top of my head theories from past experiences with viruses/malware, no deep thought and studying that picture to see if these theories would have a viable angle. so if these arent possible dont think something crazy i just said it for a possible idea for a computer whiz to expand on IF it is worth trying.
    sometimes some of the great ideas were from people who have had no experience in “x” field but put out an idea which later got expanded on from people who were far more advanced/adept in the field…kinda like da vinci and his “air screw” which WAAAY later (like hundreds of years) got advanced by intelligent people into what we know today as the helicopter.

    1. Hi libsh8truth,

      So (as I understand it)… if the ME firmware does not find a valid signature from the Intel IME hardware, it will shut down the system down after 30 minutes. If you delete the first page of the ME region, it does not perform this check and therefore does not know that the hardware has been disabled,

  3. Rootkit could be a better definition.
    Could a founder or a supermarket provide a computer without that backdoor according on the need & wish of users ?
    Where could i find one ?
    How much does it cost ?
    Could a china chip be better or egal to intel/amd ?
    why china does not sell computer with their chip in the e.u ?

    1. Hi hi-obs,

      – You may be right about rootkit. But I think both terms apply, and most people are more familiar with the concept of a backdoor.
      – Most chips these days contain some form of backdoor/rootkit. I am not aware of one existing on something like the Raspberry Pi, but as a UK company and therefore subject to the UK’s just-passed “etxreme” new surveillance legislation, it may soon be required to build one in.

  4. it is a bit biased no ?
    the ime is done for a simple goal : to be a part of a large system easily (yours as a firm, infrastructure, platform, their as a deployment tool, management, support = for your business/benefit & for their help/service = synergy = joint-venture : afaik it is not a confidential information).
    has another founder (from outside usa) made one (chip) without ime yet ?
    you forgot a real danger using coreduo : the gps embedded.
    ime is not a backdoor ; it is a proprietary service (it is not gratis) that you buy (even if you disagree) to be a part of their own professional life (you do not receive a coupon or money for that) but when you blog or tweet is it not the same thing ?
    journalist & blogger earn a lot of money promoting an idea, a concept : marketing is a strong industry.
    a laptop with windows (ime is very closed of a lot of enterprise) is cheaper than without ; and intel is far more powerful than an administration , they work together friendly so using the term “connection” is a bit violent.
    ime is the same problem that you encounter using an usb-key : it is not signed by you !
    have you said leasing ?
    i asked a long time ago about this ‘intel intelligence’ and the answer was clear : if you do not use the service , it does not run … but if your company or your site -4ChoiceLtd(GB)- has like an ‘attractive agreement’, a cool informant or an insider/intruder (or the GHQ) in his structure … does not the service awake suddenly ? … the ime becomes a bridge betraying the validity of your EV (ssl ca) and breaks the chain of trust : i feel that like a toy coming from an insane mind for border-line people.
    have you said that using their products (it could be a camera) you becomes their enemy ?

    1. Hi co-im,

      The IME is a closed source non-auditable hardware subsystem that allows a remote operator to have almost limitless access to your PC, no matter what firewalls, encryption, or other security measure you put into place. By any definition I can think of, this counts as a backdoor.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
SAVE 49% TODAY
WITH OUR
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for BestVPN.com Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
$3.25/mo
Exclusive Offer
SAVE 72% TODAY
LIMITED TIME OFFER
Get NordVPN for only
$3.29/month