SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. …
... Intel's Management Engine is a hardware and software system designed to provide some remote management features. But it's come under criticism from privacy advocates, security researchers, and the free and open source software community.
That's because Intel Management Engine is basically a mystery. It's software that runs independently of a computer's operating system, which means that even if you wipe the OS, the Management Engine is still there. And there's no good way to know what it's doing.
The risks aren't just theoretical – Intel recently acknowledged a security vulnerability affecting nearly every PC that shipped with a 6th, 7th, or 8th-gen Intel Core processor. While the company is working with PC makers to roll out updates to patch that vulnerability, it wouldn't even exist if Intel hadn't bundled a feature many users don't need and won't use with its latest chips.
System76 are making a similar move:
System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with …
Source: https://liliputing.com/2017/12/dell-also-sells-laptops-intel-management-engine-disabled.html
Source: https://liliputing.com/2017/11/system76-will-disable-intel-management-engine-linux-laptops.html
(Score: 3, Informative) by The Mighty Buzzard on Wednesday December 06 2017, @09:54PM (3 children)
It can be done through a USB device (not through the OS, the USB device is essentially a JTAG programmer exploiting a bug in the existing firmware) or via physically clipping on to the chip to program it.
Not faith, really. Disable the bits that are being disabled and it's stuck with some very narrow attack surfaces that it's genuinely possible there actually are no exploitable bugs in.
My rights don't end where your fear begins.
(Score: 2) by sjames on Thursday December 07 2017, @01:23AM (2 children)
That is, as far as we know, needed to modify the firmware without having the signing key. If you have the signing key, you can just flash the BIOS to load the signed image on boot. Presumably, you can load the already signed official firmware with the known security flaws without having the signing key.
For all we know, the signing key has already leaked. Considering how tight lipped Intel has been, I doubt they'd tell us about such a leak even if they knew.
Meanwhile, didn't Intel claim the chipset couldn't boot with the ME disabled at one time?
(Score: 2) by The Mighty Buzzard on Thursday December 07 2017, @01:59AM (1 child)
They're not entirely disabling it or it wouldn't boot at all. They're likely combining both approaches used so far. Setting the CIA's "fuck you, Intel" bit and disabling or removing all the modules that would activate after the ones to allow the system to simply boot are run.
My rights don't end where your fear begins.
(Score: 2) by sjames on Thursday December 07 2017, @03:08AM
That sounds like a somewhat fragile disabling. I wouldn't bet on it being that hard to turn back on.