Skip to main content

Researchers find vulnerability in older versions of Intel ME, but you probably don't need to worry

8th gen intel core launch building 01
According to security researcher Damien Zammit, there’s possibility that computers based on recent x86-based processors from Intel could be unknowingly compromised. The good news, however, is that there’s no known exploit currently in use, so don’t panic just yet.

Most general consumers purchasing Intel-based desktops and laptops have no clue that a special 32-bit ARC microprocessor is built inside Intel’s supporting motherboard chipset. It’s part of the Intel Management System (ME), and acts like a standalone, independent “computer” that controls the Intel x86 processor. Its main focus is big enterprise deployments, so that multiple systems can be managed remotely.

That said, ME is invisible in regards to the overall system setup, and in some cases includes Intel’s Active Management Technology (AMT) so that it can continue to perform no matter what operating system is installed. Thanks to AMT, the ME system can sneak past the x86 Intel processor and access any region of the system memory. It also runs its own TCP/IP server, which is capable of bypassing an installed firewall to send and receive packets. The ME system cannot be disabled by the installed operating system or x86-based firmware, especially on systems that are newer than the Intel Core 2 processor series.

Thus, because Intel-based systems essentially depend on ME to boot, the ME firmware is verified by a boot ROM that’s secretly embedded in the Intel chipset. This process matches the public key’s SHA256 checksum with one provided by the factory, and then verifies the RSA signature of the firmware payload, a process that can’t be bypassed. The ME firmware is cryptographically protected with RSA 2048. If the ME firmware is not present or somehow becomes corrupted, the system will either shut down right after booting, or will refuse to boot altogether.

So, the big stink regarding Intel’s ME system is that researchers reportedly managed to exploit weaknesses in the firmware, enabling them to take partial control of ME installed on early platforms. That means there’s a possibility that attackers can slip under the radar and use a rootkit to quietly gain administrative access to an Intel-based computer. But this possibility is theoretical, and the research only applies to an older version of Intel ME.

“Personally, I would like if my ME only did the most basic task it was designed for, set up the bus clocks, and then shut off,” writes Damien Zammit. “This way, it would never be able to talk out of the network card with some of my personal data.”

At its heart, this controversy is about a difference in opinion about security best practices. Intel’s ME takes a locked-down approach. Only the company knows how it works. That makes it harder to attack, but it also makes it harder to mitigate the possible damage of an attack, and means there’s no way to know — for sure — how it’s working. Zammit supports an open-sourced approach. He believes its “inevitable” that ME will fall to an exploit, and once that happens, it’ll be open season on Intel machines.

However, it’s worth noting that open-source security has a rocky track record of its own. The infamous “Heartbleed” bug, which made it possible to steal information out of the secured OpenSSL protocol, is a good example. In other words, Zammit’s idea that Intel ME would be better off if Intel let others know about its details is an opinion, not a fact.

So, if you have an Intel processor, don’t worry. There’s no known exploit being used at this time. And not all Intel processors have the chip — only those that support vPro functionality include it.

Editors' Recommendations