Researchers at Positive Technologies forced Intel’s hand at revealing that a previously undocumented kill switch exists for its oft-criticized Intel Management Engine, a remote management component of Intel CPUs.
Initially, Positive Technologies set out to disable the feature that some security professionals have deemed a risk. Researchers did create a unofficial workaround dubbed ‘ME Cleaner’, which cripples the feature, but does not eliminate it.
In response to Positive Technologies research and tool, Intel confirmed publicly a kill switch existed for the feature. Intel told Positive Technologies in response to its research:
“In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the U.S. government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”
For years researchers have attempted to shut off or disable the Management Engine feature, to no avail.
Positive Technologies researchers Mark Ermolov and Maxim Goryachy said they believed the kill switch was introduced by Intel at the behest of the National Security Agency which it said also viewed the Intel Management Engine as a possible weak spot of a system’s endpoint defenses.
Concerns over the Intel Management Engine (ME) have been ongoing for years. In May, Intel patched a critical vulnerability that dated back nine years in the company’s Active Management Technology, which is based on Intel ME. That vulnerability could allow an attacker to gain remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN, and BIOS setup and editing.
Suspicions date back to 2012 over Intel’s implementation of Active Management Technology (AMT) with some labeling it a “backdoor enabled by default.” A reported flaw identified in June 2016 by researcher Damien Zammit claimed that there was a remotely exploitable security hole in the Intel Management Engine that created a secret backdoor allowing a third party to use undetectable rootkits against Intel PCs. Intel denied such claims.
Ermolov and Goryachy said they tied the Management Engine kill switch to the NSA when researching a comment line in the documentation of the feature that read “High Assurance Platform.” Further sleuthing revealed the High Assurance Platform descriptor also “belongs to a trusted (computing) platform program linked to the U.S. National Security Agency.” Diving even deeper, it found a utility named “Alt Disable Mode” that they believe is the backdoor switch used to turn off the feature.
At its core, Intel’s Management Engine is an independent microcontroller that handles data traveling between the processor and external devices. It works with Intel’s Platform Controller Hub chipset, and because of its function, it can access communication traveling between the Intel processor and external components.
The Management Engine also includes the Intel Active Management Technology, which is used by sysadmins to monitor, maintain, update, upgrade, and repair remote out-of-band management of business-class PCs.
“The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor,” Positive Technologies wrote on Monday.
Researchers said Intel only offers kill switch tools and ME management utilities to a small number of motherboard manufacturers under strict parameters. “These programs are not provided to end users, but they can be easily found on the Internet,” they said.
On the downside, while the Positive Technologies’ ME Cleaner tool and ME utilities can be used to disable ME, there are hazards. “The methods described here are risky and may damage or destroy your computer,” warns the company of using tools to disable ME.