By now you've probably already heard about the 11 major security flaws that Intel has found in Management Engine (ME), the largely undocumented computer-within-a-computer that's been included on Intel chipsets since 2008. If you haven't, you should. You can pretty much figure that if your computer, server or IoT platform has the Intel Inside logo, then you have a potential problem. So much so that the U.S Department of Homeland Security has issued a warning to all businesses to be on guard.
Intel has released a firmware patch, but for the majority of users this isn't a fix-it-yourself situation. Mostly you're going to have to wait until your device's manufacturer produces an update, which for a majority of products might be never.
There is some good news though: evidently not all devices equipped with ME are vulnerable. Users of Windows and Linux can download a detection tool issued by Intel to determine whether their systems are vulnerable. It's also good news that the vulnerabilities require direct access -- so long as the vulnerable machine isn't configured to allow remote control.
The folks at Intel probably went to the nearest lavatory to wash egg off their faces after finding these flaws. This should never have happened. Security experts have been saying for years that Intel's ME was a security nightmare waiting to happen. Intel didn't listen, apparently because being the first (and now second) largest chip maker on the planet, it knew better.
Intel found the flaws after realizing it might be prudent to investigate a report earlier this month from Positive Technologies that it had found a hole in ME that allowed it to execute unsigned code through a USB port. Another flaw was discovered back in May, a vulnerability in AMT, a remote management toolkit that runs on ME, that handed control of a machine to anyone who merely attempted a login and left the password field blank.
Google has been so worried about UEFI (the modern BIOS replacement) and ME that it's done everything it can to brick the chip on Chromebooks. It created NERF (Non-Extensible Reduced Firmware), which runs on Linux and removes ME's IP stack, along with some UEFI drivers. Most importantly, it kills ME's and UEFI's ability to auto-reflash the firmware. No word on how it handles ME in its data centers, but I'd suspect more of the same.
The Electronic Frontier Foundation (EFF) has long been on the anti-ME bandwagon. In May, after the ME/AMT scare, the foundation called on Intel to supply documentation, to create a supported way to disable ME and to offer a minimal alternative firmware for those who wished to keep ME operational to use security features that require it.
"Until Intel takes these steps, we have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers and critical cybersecurity and physical infrastructure," EFF said. "Intel needs to act quickly to provide the community with an auditable solution to these threats."
With this latest security scare, it wouldn't be surprising if enterprise customers start calling for a ME kill switch.