Slash Boxes

SoylentNews is people

posted by janrinok on Wednesday December 06, @06:49PM   Printer-friendly
from the what-people-want dept.

Submitted via IRC for TheMightyBuzzard

Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. …

... Intel's Management Engine is a hardware and software system designed to provide some remote management features. But it's come under criticism from privacy advocates, security researchers, and the free and open source software community.

That's because Intel Management Engine is basically a mystery. It's software that runs independently of a computer's operating system, which means that even if you wipe the OS, the Management Engine is still there. And there's no good way to know what it's doing.

The risks aren't just theoretical – Intel recently acknowledged a security vulnerability affecting nearly every PC that shipped with a 6th, 7th, or 8th-gen Intel Core processor. While the company is working with PC makers to roll out updates to patch that vulnerability, it wouldn't even exist if Intel hadn't bundled a feature many users don't need and won't use with its latest chips.

System76 are making a similar move:

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with …



Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by The Mighty Buzzard on Wednesday December 06, @09:54PM (3 children)

    It can be done through a USB device (not through the OS, the USB device is essentially a JTAG programmer exploiting a bug in the existing firmware) or via physically clipping on to the chip to program it.

    Not faith, really. Disable the bits that are being disabled and it's stuck with some very narrow attack surfaces that it's genuinely possible there actually are no exploitable bugs in.

    My preferred pronouns are wetback/faggot/cunt. Your move.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by sjames on Thursday December 07, @01:23AM (2 children)

    by sjames (2882) on Thursday December 07, @01:23AM (#606519) Journal

    That is, as far as we know, needed to modify the firmware without having the signing key. If you have the signing key, you can just flash the BIOS to load the signed image on boot. Presumably, you can load the already signed official firmware with the known security flaws without having the signing key.

    For all we know, the signing key has already leaked. Considering how tight lipped Intel has been, I doubt they'd tell us about such a leak even if they knew.

    Meanwhile, didn't Intel claim the chipset couldn't boot with the ME disabled at one time?

    • (Score: 2) by The Mighty Buzzard on Thursday December 07, @01:59AM (1 child)

      They're not entirely disabling it or it wouldn't boot at all. They're likely combining both approaches used so far. Setting the CIA's "fuck you, Intel" bit and disabling or removing all the modules that would activate after the ones to allow the system to simply boot are run.

      My preferred pronouns are wetback/faggot/cunt. Your move.
      • (Score: 2) by sjames on Thursday December 07, @03:08AM

        by sjames (2882) on Thursday December 07, @03:08AM (#606594) Journal

        That sounds like a somewhat fragile disabling. I wouldn't bet on it being that hard to turn back on.