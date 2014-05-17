Stories
EFF: Intel's Management Engine is a Security Hazard

posted by n1 on Monday May 15, @07:04AM
MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

It's a crying shame the what the EFF says doesn't hold a whole lot of weight.

Source: The Electronic Frontier Foundation

Original Submission


  • (Score: 0) by Anonymous Coward on Monday May 15, @07:20AM

    by Anonymous Coward on Monday May 15, @07:20AM (#509822)

    I had a bear of a time trying to install Linux when the network drivers kept failing for no apparent reason. Turns out Intel vPro was seizing control of the chipset and trying to use the network for its own purposes. I was shocked to discover a nefarious parasitic computer inside the computer. I disabled vPro immediately and vowed from that day forward never to allow vPro to be enabled ever again.

    I learned my lesson from helpful Linux penguins. GNU bless Linux for all time.

  • (Score: 0) by Anonymous Coward on Monday May 15, @07:33AM (2 children)

    by Anonymous Coward on Monday May 15, @07:33AM (#509824)

    As all major CPU brands have similar issues, what are the alternatives? I don't care for windows, as long as it runs Linux or a BSD I'm satisfied. I know there was a project for building a POWER based system, but if I remember correctly that was cancelled.

    • (Score: 2) by butthurt on Monday May 15, @07:45AM

      by butthurt (6141) on Monday May 15, @07:45AM (#509828) Journal

      Correct me if I'm wrong, but I'm assuming these are fine:

      https://libreboot.org/docs/hardware/#list-of-supported-hardware [libreboot.org]

    • (Score: 2) by TheRaven on Monday May 15, @07:46AM

      by TheRaven (270) on Monday May 15, @07:46AM (#509829) Journal
      The alternative is not to turn on the LOM facilities of whatever you buy. They're off by default on most systems. If you do need to enable them, only do so for machines plugged into a managed switch and severely restrict access to the management addresses.

      We had a similar wake-up call from a Dell (I think) remote management system that shipped with an ancient (and known insecure) version of OpenSSH. We discovered this when Facebook contacted us to ask why we were attacking them - apparently someone had compromised the management system and was using it to attack Facebook. This is perhaps more of a problem than the Intel hack, because the owner of the compromised system has far less of an incentive to fix it if it's being used to attack computers off their network.

