The Intel Management Engine (IME) is a component of virtually every Intel CPU released since 2008. It does tasks separate from the main operating system, while the computer is in use. Therefore it acts like a CPU. Intel argues that it can be used to do remote administrative tasks. Although it’s been argued that having a “black box” that can control networking and hardware, even when the computer is switched off, represents a major security and privacy concern. And, well, that’s pretty accurate. Security from Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed out details of the attack are yet to be known. But what we know so far, it’s pretty bad.
The IME is linked to JTAG (Joint Test Action Group) debugging ports. USB ports also use JTAG. For this attack, Positive Technologies figured out how to bridge the gap. But because they haven’t gone into specifics of how we can only imagine how bad this could be. Or already is. This isn’t the first time that researchers have uncovered substantial security issues in the IME. This time around, the main issue is that it’s exploitable via USB, which is a common attack vector. The Stuxnet malware, for example, which was credited with temporarily interfering with Iran’s nuclear program, was initially spread via infected USB sticks deliberately dropped on the ground.
This makes it possible for a hacker could gain access to a computer by using this tactic. And if we’re being honest, who isn’t going to see what’s on a flash drive if they find it? What’s frustrating about this is that it’s impossible to remove the Intel Management Engine entirely. It’s a physical component that is baked into the heart of your computers CPU. But you can switch out the IME’s firmware, essentially making it ineffective.
There is a growing segment of computers being built without the technology. A company in San Francisco, Purism, sells laptops without IME. Purism’s founder and CEO, Todd Weaver had this to say about Intel IME:
“The Intel ME, long theorized to be the scariest of threats is no longer is just theory. Having access to any Intel machine just above hardware and lower than all software means an attacker or criminal has complete control over everything; encrypted storage, secret keys, passwords, financial details, everything on your computer or that your computer does. All the things you hoped were safe are not. Purism previously disabled the Management Engine in our laptops because we knew it was only a matter of time before this theoretical threat became reality. Purism is the only company to ship laptops with the ME disabled by default, and we invest in security enhancements on our hardware, benefiting users around the globe.”
Given the climate of cybersecurity, this sounds like a good idea. But will we start to see more computers without this technology? Or is this security issue something that we will have to learn to live with?