Slash Boxes

SoylentNews is people

posted by janrinok on Wednesday December 06 2017, @06:49PM   Printer-friendly
from the what-people-want dept.

Submitted via IRC for TheMightyBuzzard

Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. …

... Intel's Management Engine is a hardware and software system designed to provide some remote management features. But it's come under criticism from privacy advocates, security researchers, and the free and open source software community.

That's because Intel Management Engine is basically a mystery. It's software that runs independently of a computer's operating system, which means that even if you wipe the OS, the Management Engine is still there. And there's no good way to know what it's doing.

The risks aren't just theoretical – Intel recently acknowledged a security vulnerability affecting nearly every PC that shipped with a 6th, 7th, or 8th-gen Intel Core processor. While the company is working with PC makers to roll out updates to patch that vulnerability, it wouldn't even exist if Intel hadn't bundled a feature many users don't need and won't use with its latest chips.

System76 are making a similar move:

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with …



Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by sjames on Wednesday December 06 2017, @10:06PM (2 children)

    by sjames (2882) on Wednesday December 06 2017, @10:06PM (#606436) Journal

    Actually, re-flashing can easily be done silently in the background. It's just that vendors are much too lazy to update their flasher to anything newer than DOS.

    All that is actually necessary is the right pattern of reads and writes to the flash chip. In Windows, that requires kernel level access, so a hacked driver will be involved, but if you can get admin level access, you're in, and even after the system is "cleaned up", you're still in.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by FatPhil on Thursday December 07 2017, @03:16PM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {}> on Thursday December 07 2017, @03:16PM (#606812) Homepage
    The IME should be able to block the writes to the flash (it should act as a gatekeeper for all peripheral accesses, which is why it can happily talk on the ethernet without the processor knowing about it). Best of all, it will lie to the OS about such writes, making it think they've worked. If you're paranoid enough to read what you've written back, you'll realise nothing will have changed. At least, that's how the ARM equivalent works, Intel may have designed something less functional than ARM.
    If vaccination works, then why doesn't eucharist protect kids against Christianity?
    • (Score: 2) by sjames on Thursday December 07 2017, @07:20PM

      by sjames (2882) on Thursday December 07 2017, @07:20PM (#606951) Journal

      So the "disabled" ME will prevent the firmware update?

      You would definitely notice if the writes are shot down since the flash chip's state engine won't respond appropriately when you read status.