fbpx
Wikipedia

Intel Management Engine

October 21, 2023

The Intel Management Engine (ME), also known as the Intel Manageability Engine,[1][2] is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.[1][3][4] It is located in the Platform Controller Hub of modern Intel motherboards.

Privilege rings for the x86 architecture. The ME is colloquially categorized as ring −3, below System Management Mode (ring −2) and the hypervisor (ring −1), all running at a higher privilege level than the kernel (ring 0)

The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with deployment of a hardware device, which is able to disconnect mains power.

Intel's main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

Difference from Intel AMT Edit

The Management Engine is often confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer,[5] such as powering it on or off, and reinstalling the operating system.

However, the ME itself is built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.

Design Edit

The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep.[6] As long as the chipset or SoC is supplied with power (via battery or power supply), it continues to run even when the system is turned off.[7] Intel claims the ME is required to provide full performance.[8] Its exact workings[9] are largely undocumented[10] and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.[11]

Hardware Edit

Starting with ME 11 (introduced in Skylake CPUs), it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system.[12] The ME firmware is stored in a partition of the SPI BIOS Flash, using the Embedded Flash File System (EFFS).[13] Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor could also execute signed Java applets.

The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[14][15] The ME also communicates with the host via PCI interface.[13] Under Linux, communication between the host and the ME is done via /dev/mei or /dev/mei0.[16][17]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[18] With the newer Intel architectures (Intel 5 Series onwards), ME is integrated into the Platform Controller Hub (PCH).[19][20]

Firmware Edit

By Intel's current terminology as of 2017, ME is one of several firmware sets for the Converged Security and Manageability Engine (CSME). Prior to AMT version 11, CSME was called Intel Management Engine BIOS Extension (Intel MEBx).[1]

  • Management Engine (ME) – mainstream chipsets[21]
  • Server Platform Services (SPS) – server chipsets and SoCs[22][21][23]
  • Trusted Execution Engine (TXE) – tablet/embedded/low power[24][25]

The Russian company Positive Technologies (Dmitry Sklyarov) found that the ME firmware version 11 runs MINIX 3.[12][26][27]

Modules Edit

Security vulnerabilities Edit

Several weaknesses have been found in the ME. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug (SA-00075) in its Management Technology.[36] Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME.[37][38] Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found.[39][40][41] Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).[42][43] Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods.[44] In July 2018 another set of vulnerabilities was disclosed (SA-00112).[45] In September 2018, yet another vulnerability was published (SA-00125).[46]

Ring −3 rootkit Edit

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections.[47] The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits.[18]) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.[48][49]

Zero-touch provisioning Edit

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from GoDaddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.[50]

SA-00075 (a.k.a. Silent Bob is Silent) Edit

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability (CVE-2017-5689).[38][51][36][52][53] The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel,[54] affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and possibly others.[54][55][56][57][58][59][60] Those researchers claimed that the bug affects systems made in 2010 or later.[61] Other reports claimed the bug also affects systems made as long ago as 2008.[62][38] The vulnerability was described as giving remote attackers:

"full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data."

— Tatu Ylönen, ssh.com[54]

PLATINUM Edit

In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.[63][64][65][66][67][68][69][70] SOL is disabled by default, and must be enabled to exploit this vulnerability.[71]

SA-00086 Edit

Some months after the previous bugs, and subsequent warnings from the EFF,[4] security firm Positive Technologies claimed to have developed a working exploit.[72] On 20 November, 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine (mainstream), Trusted Execution Engine (tablet/mobile), and Server Platform Services (high end server) firmware, and released a "critical firmware update".[73][74] Essentially every Intel-based computer for the last several years, including most desktops and servers, were found to be vulnerable to having their security compromised, although all the potential routes of exploitation were not entirely known.[74] It is not possible to patch the problems from the operating system, and a firmware (UEFI, BIOS) update to the motherboard is required, which was anticipated to take quite some time for the many individual manufacturers to accomplish, if it ever would be for many systems.[42]

Affected systems[73] Edit

  • Intel Atom – C3000 family
  • Intel Atom – Apollo Lake E3900 series
  • Intel Celeron – N and J series
  • Intel Core (i3, i5, i7, i9) – 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation
  • Intel Pentium – Apollo Lake
  • Intel Xeon – E3-1200 v5 and v6 product family
  • Intel Xeon – Scalable family
  • Intel Xeon – W family

Mitigation Edit

None of the known unofficial methods to disable the ME prevent exploitation of the vulnerability. A firmware update by the vendor is required. However, those who discovered the vulnerability note that firmware updates are not fully effective either, as an attacker with access to the ME firmware region can simply flash an old, vulnerable version and then exploit the bug.[44]

SA-00112 Edit

In July 2018 Intel announced that three vulnerabilities (CVE-2018-3628, CVE-2018-3629, CVE-2018-3632) had been discovered and that a patch for the CSME firmware would be required. Intel indicated there would be no patch for 3rd generation Core processors or earlier despite chips or their chipsets as far back as Intel Core 2 Duo vPro and Intel Centrino 2 vPro being affected. However Intel AMT must be enabled and provisioned for the vulnerability to exist.[45][75]

Assertions that ME is a backdoor Edit

Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern.[76][4] Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.[5]

Intel responded by saying that "Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user."[5] and "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology."[77]

In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to "Insert vulnerabilities into commercial encryption systems, IT systems, …" and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program.[78][79]

Disabling the ME Edit

It is normally not possible for the end-user to disable the ME and there is no officially supported method to disable it, but some undocumented methods to do so were discovered.[42] The ME's security architecture is designed to prevent disabling. Intel considers disabling ME to be a security vulnerability, as a malware could abuse it to make the computer lose some of the functionality that the typical user expects, such as the ability to play media with DRM, specifically DRM media that are using HDCP.[80][81] But on the other hand, it is also possible for malicious actors to use the ME to remotely compromise a system.

Strictly speaking, none of the known methods can disable the ME completely, since it is required for booting the main CPU. The currently known methods merely make the ME go into abnormal states soon after boot, in which it seems not to have any working functionality. The ME is still physically connected to the system and its microprocessor continues to execute code.[citation needed] Some manufacturers like Purism and System76 disable Intel Management Engine.[82][83]

Undocumented methods Edit

Firmware neutralization Edit

In 2016, the me_cleaner project found that the ME's integrity verification is broken. The ME is supposed to detect that it has been tampered with and, if this is the case, shut down the PC forcibly 30 minutes after system start.[84] This prevents a compromised system from running undetected, yet allows the owner to fix the issue by flashing a valid version of the ME firmware during the grace period. As the project found out, by making unauthorized changes to the ME firmware, it was possible to force it into an abnormal error state that prevented triggering the shutdown even if large parts of the firmware had been overwritten and thus made inoperable.

"High Assurance Platform" mode Edit

In August 2017, Positive Technologies (Dmitry Sklyarov) published a method to disable the ME via an undocumented built-in mode. As Intel has confirmed[85] the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions,[77][86] and was intended to be available only in machines produced for specific purchasers like the US government; however, most machines sold on the retail market can be made to activate the switch.[86][87] Manipulation of the HAP bit was quickly incorporated into the me_cleaner project.[88]

Commercial ME disablement Edit

From late 2017 on, several laptop vendors announced their intentions to ship laptops with the Intel ME disabled or let the end-users disable it manually:

  • Minifree Ltd has provided Libreboot pre-loaded laptops with Intel ME either not present, or disabled, since at least 2015.[89][90][91]
  • Purism previously petitioned Intel to sell processors without the ME, or release its source code, calling it "a threat to users' digital rights".[92] In March 2017, Purism announced that it had neutralized the ME by erasing the majority of the ME code from the flash memory.[93] It further announced in October 2017[94] that new batches of their Librem line of laptops running PureOS will ship with the ME neutralized, and additionally disable most ME operation via the HAP bit. Updates for existing Librem laptops were also announced.
  • In November, System76 announced their plan to disable the ME on their new and recent machines which ship with Pop!_OS via the HAP bit.[95]
  • In December, Dell began showing certain laptops on its website that offered the "Systems Management" option "Intel vPro - ME Inoperable, Custom Order" for an additional fee. Dell has not announced or publicly explained the methods used. In response to press requests, Dell stated that those systems had been offered for quite a while, but not for the general public, and had found their way to the website only inadvertently.[96] The laptops are available only by custom order and only to military, government and intelligence agencies.[97] They are specifically designed for covert operations, such as providing a very robust case and a "stealth" operating mode kill switch that disables display, LED lights, speaker, fan and any wireless technology.[98]
  • In March 2018, Tuxedo Computers, a German company which specializes in PCs which run Linux kernel-based operating systems, announced an option in the BIOS of their system to disable ME. [99]
  • In February 2021 Nitrokey, a German company specialized in producing Security Tokens, announced NitroPC, a device identical to Purism's Librem Mini. [100]
  • In January 2023, monocles, a German start-up which offers several privacy friendly and secure services and devices sells the monocles book 1, a refurbished notebook with disabled Intel ME and plans to produce own Notebooks without Intel ME from factory. [101]

Effectiveness against vulnerabilities Edit

Neither of the two methods to disable the ME discovered so far turned out to be an effective countermeasure against the SA-00086 vulnerability.[44] This is because the vulnerability is in an early-loaded ME module that is essential to boot the main CPU.[citation needed]

Reactions Edit

By Google Edit

As of 2017, Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.[42]

By AMD processor vendors Edit

Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor,[102] a subsystem with similar function as the ME.

See also Edit

References Edit

  1. ^ a b c Oster, Joseph E. (September 3, 2019). "Getting Started with Intel Active Management Technology (Intel AMT)". Intel. Retrieved September 22, 2020.
  2. ^ a b . Intel. Archived from the original on February 21, 2019.{{cite web}}: CS1 maint: unfit URL (link)
  3. ^ "Frequently Asked Questions for the Intel Management Engine Verification Utility". Built into many Intel Chipset–based platforms is a small, low-power computer subsystem called the Intel Management Engine (Intel ME).
  4. ^ a b c Portnoy, Erica; Eckersley, Peter (May 8, 2017). "Intel's Management Engine is a security hazard, and users need a way to disable it". Electronic Frontier Foundation. Retrieved February 21, 2020.
  5. ^ a b c Wallen, Jack (July 1, 2016). "Is the Intel Management Engine a backdoor?".
  6. ^ "Frequently Asked Questions for the Intel Management Engine Verification Utility". The Intel ME performs various tasks while the system is in sleep, during the boot process, and when your system is running.
  7. ^ "Black Hat Europe 2017". BlackHat.com.
  8. ^ "Frequently Asked Questions for the Intel Management Engine Verification Utility". This subsystem must function correctly to get the most performance and capability from your PC.
  9. ^ Hoffman, Chris. "Intel Management Engine, Explained: The Tiny Computer Inside Your CPU". How-To Geek.
  10. ^ Eckersley, Erica Portnoy and Peter (May 8, 2017). "Intel's Management Engine is a security hazard, and users need a way to disable it". Electronic Frontier Foundation.
  11. ^ a b "Intel ME huffman dictionaries - Unhuffme v2.4". IO.NetGarage.org.
  12. ^ a b . Archived from the original on August 28, 2017. Retrieved August 30, 2017.
  13. ^ a b Igor Skochinsky (Hex-Rays) Rootkit in your laptop, Ruxcon Breakpoint 2012
  14. ^ "Intel Ethernet Controller I210 Datasheet" (PDF). Intel. 2013. pp. 1, 15, 52, 621–776. Retrieved November 9, 2013.
  15. ^ "Intel Ethernet Controller X540 Product Brief" (PDF). Intel. 2012. Retrieved February 26, 2014.
  16. ^ . Archived from the original on November 1, 2014. Retrieved February 25, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  17. ^ "Introduction — The Linux Kernel documentation". Kernel.org.
  18. ^ a b Rutkowska, Joanna. "A Quest to the Core" (PDF). Invisiblethingslab.com. Retrieved May 25, 2016.
  19. ^ (PDF). Archived from the original (PDF) on February 11, 2014. Retrieved February 26, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  20. ^ "Platforms II" (PDF). Users.nik.uni-obuda.hu. Retrieved May 25, 2016.
  21. ^ a b "FatTwin F618R3-FT+ F618R3-FTPT+ User's Manual" (PDF). Super Micro. The Manageability Engine, which is an ARC controller embedded in the IOH (I/O Hub), provides Server Platform Services (SPS) to your system. The services provided by SPS are different from those provided by the ME on client platforms.
  22. ^ "Intel Xeon Processor E3-1200 v6 Product Family Product Brief". Intel. Intel Server Platform Services (Intel SPS): Designed for managing rack-mount servers, Intel Server Platform Services provides a suite of tools to control and monitor power, thermal, and resource utilization.
  23. ^ "Intel Xeon Processor D-1500 Product Family" (PDF). Intel.
  24. ^ "Intel Trusted Execution Engine Driver". Dell. This package provides the drivers for the Intel Trusted Execution Engine and is supported on Dell Venue 11 Pro 5130 Tablet
  25. ^ a b "Intel Trusted Execution Engine Driver for Intel NUC Kit NUC5CPYH, NUC5PPYH, NUC5PGYH". Intel. Installs the Intel Trusted Execution Engine (Intel TXE) driver and firmware for Windows 10 and Windows 7*/8.1*, 64-bit. The Intel TXE driver is required for Secure Boot and platform security features.
  26. ^ Intel ME: The Way of the Static Analysis, Troopers 2017
  27. ^ Positive Technologies Blog:The Way of the Static Analysis
  28. ^ a b "Intel Hardware-based Security Technologies for Intelligent Retail Devices" (PDF). Intel.
  29. ^ "Intel Quiet System Technology 2.0: Programmer's Reference Manual" (PDF). Intel. February 2010. Retrieved August 25, 2014.
  30. ^ "The Intel Management Engine – a Privacy Nightmare". ProPrivacy.com.
  31. ^ September 2012, Patrick Kennedy 21 (September 21, 2012). "Intel vPro In 2012, Small Business Advantage, And Anti-Theft Tech". Tom's Hardware.
  32. ^ . service.mcafee.com. Archived from the original on August 1, 2020. Retrieved September 10, 2020.
  33. ^ "Using Intel AMT serial-over-LAN to the fullest". Intel.
  34. ^ "How To Enable BitLocker With Intel PTT and No TPM For Better Security". Legit Reviews. May 8, 2019. Retrieved September 8, 2020.
  35. ^ "MEI NFC".
  36. ^ a b "Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege". Intel.com. March 17, 2020. Retrieved September 22, 2020.
  37. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate. Retrieved May 7, 2017.
  38. ^ a b c "Red alert! Intel patches remote execution hole that's been hidden in chips since 2010". TheRegister.co.uk. Retrieved May 7, 2017.
  39. ^ Alaoui, Youness (October 19, 2017). "Deep dive into Intel Management Engine disablement".
  40. ^ Alaoui, Youness (March 9, 2017). "Neutralizing the Intel Management Engine on Librem Laptops".
  41. ^ . Archived from the original on August 28, 2017. Retrieved August 30, 2017.
  42. ^ a b c d "Intel Patches Major Flaws in the Intel Management Engine". Extreme Tech.
  43. ^ Claburn, Thomas (November 20, 2017). "Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets". The Register.
  44. ^ a b c "Intel Management Engine pwned by buffer overflow". TheRegister.com.
  45. ^ a b "INTEL-SA-00112". Intel.
  46. ^ "INTEL-SA-00125". Intel.
  47. ^ (PDF). Invisiblethingslab.com. Archived from the original (PDF) on April 12, 2016. Retrieved May 25, 2016.
  48. ^ (PDF). Stewin.org. Archived from the original (PDF) on March 4, 2016. Retrieved May 25, 2016.
  49. ^ (PDF). Stewin.org. Archived from the original (PDF) on March 3, 2016. Retrieved May 25, 2016.
  50. ^ "Security Evaluation of Intel's Active Management Technology" (PDF). Web.it.kth.se. Retrieved May 25, 2016.
  51. ^ . Cve.mitre.org. Archived from the original on May 5, 2017. Retrieved May 7, 2017.
  52. ^ "Intel Hidden Management Engine - x86 Security Risk?". Darknet. June 16, 2016. Retrieved May 7, 2017.
  53. ^ Garrett, Matthew (May 1, 2017). "Intel's remote AMT vulnerablity". mjg59.dreamwidth.org. Retrieved May 7, 2017.
  54. ^ a b c . Ssh.com\Accessdate=2017-05-07. Archived from the original on March 5, 2018. Retrieved November 25, 2017.
  55. ^ Dan Goodin (May 6, 2017). "The Hijacking Flaw That Lurked in Intel Chips Is Worse than Anyone Thought". Ars Technica. Retrieved May 8, 2017.
  56. ^ "General: BIOS updates due to Intel AMT IME vulnerability - General Hardware - Laptop - Dell Community". En.Community.Dell.com. May 2, 2017. Retrieved May 7, 2017.
  57. ^ "Advisory note: Intel Firmware vulnerability – Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe, Middle East, Africa & India". Support.ts.fujitsu.com. May 1, 2017. Retrieved May 8, 2017.
  58. ^ "HPE | HPE CS700 2.0 for VMware". H22208.www2.hpe.com. May 1, 2017. Retrieved May 7, 2017.
  59. ^ "Intel Security Advisory regarding escalation o... |Intel Communities". Communities.Intel.com. May 4, 2017. Retrieved May 7, 2017.
  60. ^ "Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation". Support.lenovo.com. Retrieved May 7, 2017.
  61. ^ . Embedi.com. May 2, 2017. Archived from the original on August 17, 2018.
  62. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate.com. Retrieved May 7, 2017.
  63. ^ "Sneaky hackers use Intel management tools to bypass Windows firewall". June 9, 2017. Retrieved June 10, 2017.
  64. ^ Tung, Liam. "Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft - ZDNet". ZDNet. Retrieved June 10, 2017.
  65. ^ "PLATINUM continues to evolve, find ways to maintain invisibility". June 7, 2017. Retrieved June 10, 2017.
  66. ^ "Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls". Retrieved June 10, 2017.
  67. ^ "Hackers abuse low-level management feature for invisible backdoor". iTnews. Retrieved June 10, 2017.
  68. ^ "Vxers exploit Intel's Active Management for malware-over-LAN • The Register". TheRegister.co.uk. Retrieved June 10, 2017.
  69. ^ Security, heise. "Intel-Fernwartung AMT bei Angriffen auf PCs genutzt". Security. Retrieved June 10, 2017.
  70. ^ "PLATINUM activity group file-transfer method using Intel AMT SOL". Channel 9. Retrieved June 10, 2017.
  71. ^ "Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls". BleepingComputer.
  72. ^ "Black Hat Europe 2017". BlackHat.com.
  73. ^ a b "Intel Management Engine Critical Firmware Update (Intel SA-00086)". Intel.
  74. ^ a b Newman, Lily Hay. "Intel Chip Flaws Leave Millions of Devices Exposed". Wired.
  75. ^ "Intel Active Management Technology 9.x/10.x/11.x Security Review..." Intel.
  76. ^ Cimpanu, Catalin (June 17, 2016). "Intel x86 CPUs Come with a Secret Backdoor That Nobody Can Touch or Disable". softpedia.
  77. ^ a b "Intel ME controller chip has secret kill switch". TheRegister.com.
  78. ^ "Documents Reveal N.S.A. Campaign Against Encryption". The New York Times.
  79. ^ "Leserforum". C't. 2018 (7): 10–11. March 16, 2018.
  80. ^ "HDCP 2.2 Content Protection Being Worked On For The i915 DRM Driver".
  81. ^ "HDCP 2.2 Support Updated For The Intel DRM Linux Driver".
  82. ^ "What is Intel Management Engine and what are concerns with it regarding Librem laptops?".
  83. ^ "Major Updates for System76 Open Firmware!".
  84. ^ "corna/me_cleaner". September 10, 2020 – via GitHub.
  85. ^ "Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA". BleepingComputer.
  86. ^ a b Research, Author Positive. . Archived from the original on December 1, 2020. {{cite web}}: |first= has generic name (help)
  87. ^ "corna/me_cleaner". GitHub. March 19, 2022.
  88. ^ "Set the HAP bit (ME >= 11) or the AltMeDisable bit (ME < 11) · corna/me_cleaner@ced3b46". GitHub.
  89. ^ "Libreboot T400 laptop now FSF-certified to respect your freedom — Free Software Foundation — Working together for free software". www.fsf.org. Retrieved April 30, 2023.
  90. ^ Bärwaldt, Erik. "Liberated » Linux Magazine". Linux Magazine. Retrieved April 30, 2023.
  91. ^ Biggs, John (August 11, 2017). "The Minifree Libreboot T400 is free as in freedom". TechCrunch. Retrieved April 30, 2023.
  92. ^ . June 16, 2016. Archived from the original on June 16, 2016.
  93. ^ Alaoui, Youness (March 9, 2017). "Neutralizing the Intel Management Engine on Librem Laptops". puri.sm. Retrieved December 13, 2017.
  94. ^ "Purism Librem Laptops Completely Disable Intel's Management Engine". October 19, 2017.
  95. ^ "System76 ME Firmware Updates Plan". System76 Blog.
  96. ^ "Dell Sells PCs without Intel's Management Engine, but with Tradeoffs". ExtremeTech.com.
  97. ^ online, heise. "Dell schaltet Intel Management Engine in Spezial-Notebooks ab". heise online.
  98. ^ "Dell Latitude 14 Rugged — 5414 Series Owner's Manual". Dell.com.
  99. ^ "TUXEDO deaktiviert Intels Management Engine - TUXEDO Computers". www.tuxedocomputers.com. Retrieved February 7, 2021.
  100. ^ "NitroPC - Powerful and Secure Mini PC". www.nitrokey.com. Retrieved December 8, 2021.
  101. ^ "monocles book 1 – monocles store". Retrieved January 30, 2023.
  102. ^ "AMD Reportedly Allows Disabling PSP Secure Processor With Latest AGESA - Phoronix". Phoronix.com. December 7, 2017. Retrieved April 16, 2019.

External links Edit

  • Behind the Scenes of Intel Security and Manageability Engine

October 21, 2023
intel, management, engine, also, known, intel, manageability, engine, autonomous, subsystem, that, been, incorporated, virtually, intel, processor, chipsets, since, 2008, located, platform, controller, modern, intel, motherboards, privilege, rings, architectur. The Intel Management Engine ME also known as the Intel Manageability Engine 1 2 is an autonomous subsystem that has been incorporated in virtually all of Intel s processor chipsets since 2008 1 3 4 It is located in the Platform Controller Hub of modern Intel motherboards Privilege rings for the x86 architecture The ME is colloquially categorized as ring 3 below System Management Mode ring 2 and the hypervisor ring 1 all running at a higher privilege level than the kernel ring 0 The Intel Management Engine always runs as long as the motherboard is receiving power even when the computer is turned off This issue can be mitigated with deployment of a hardware device which is able to disconnect mains power Intel s main competitor AMD has incorporated the equivalent AMD Secure Technology formally called Platform Security Processor in virtually all of its post 2013 CPUs Contents 1 Difference from Intel AMT 2 Design 2 1 Hardware 2 2 Firmware 2 2 1 Modules 3 Security vulnerabilities 3 1 Ring 3 rootkit 3 2 Zero touch provisioning 3 3 SA 00075 a k a Silent Bob is Silent 3 4 PLATINUM 3 5 SA 00086 3 5 1 Affected systems 73 3 5 2 Mitigation 3 6 SA 00112 4 Assertions that ME is a backdoor 5 Disabling the ME 5 1 Undocumented methods 5 1 1 Firmware neutralization 5 1 2 High Assurance Platform mode 5 2 Commercial ME disablement 5 3 Effectiveness against vulnerabilities 6 Reactions 6 1 By Google 6 2 By AMD processor vendors 7 See also 8 References 9 External linksDifference from Intel AMT EditThe Management Engine is often confused with Intel AMT Intel Active Management Technology AMT runs on the ME but is only available on processors with vPro AMT gives device owners remote administration of their computer 5 such as powering it on or off and reinstalling the operating system However the ME itself is built into all Intel chipsets since 2008 not only those with AMT While AMT can be unprovisioned by the owner there is no official documented way to disable the ME Design EditThe subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot up while the computer is running and while it is asleep 6 As long as the chipset or SoC is supplied with power via battery or power supply it continues to run even when the system is turned off 7 Intel claims the ME is required to provide full performance 8 Its exact workings 9 are largely undocumented 10 and its code is obfuscated using confidential Huffman tables stored directly in hardware so the firmware does not contain the information necessary to decode its contents 11 Hardware Edit Starting with ME 11 introduced in Skylake CPUs it is based on the Intel Quark x86 based 32 bit CPU and runs the MINIX 3 operating system 12 The ME firmware is stored in a partition of the SPI BIOS Flash using the Embedded Flash File System EFFS 13 Previous versions were based on an ARC core with the Management Engine running the ThreadX RTOS Versions 1 x to 5 x of the ME used the ARCTangent A4 32 bit only instructions whereas versions 6 x to 8 x used the newer ARCompact mixed 32 and 16 bit instruction set architecture Starting with ME 7 1 the ARC processor could also execute signed Java applets The ME has its own MAC and IP address for the out of band management interface with direct access to the Ethernet controller one portion of the Ethernet traffic is diverted to the ME even before reaching the host s operating system for what support exists in various Ethernet controllers exported and made configurable via Management Component Transport Protocol MCTP 14 15 The ME also communicates with the host via PCI interface 13 Under Linux communication between the host and the ME is done via dev mei or dev mei0 16 17 Until the release of Nehalem processors the ME was usually embedded into the motherboard s northbridge following the Memory Controller Hub MCH layout 18 With the newer Intel architectures Intel 5 Series onwards ME is integrated into the Platform Controller Hub PCH 19 20 Firmware Edit By Intel s current terminology as of 2017 ME is one of several firmware sets for the Converged Security and Manageability Engine CSME Prior to AMT version 11 CSME was called Intel Management Engine BIOS Extension Intel MEBx 1 Management Engine ME mainstream chipsets 21 Server Platform Services SPS server chipsets and SoCs 22 21 23 Trusted Execution Engine TXE tablet embedded low power 24 25 The Russian company Positive Technologies Dmitry Sklyarov found that the ME firmware version 11 runs MINIX 3 12 26 27 Modules Edit Active Management Technology AMT 2 Intel Boot Guard IBG 28 and Secure Boot 25 Quiet System Technology QST formerly known as Advanced Fan Speed Control AFSC which provides support for acoustically optimized fan speed control and monitoring of temperature voltage current and fan speed sensors that are provided in the chipset CPU and other devices present on the motherboard Communication with the QST firmware subsystem is documented and available through the official software development kit SDK 29 Protected Audio Video Path 30 11 Intel Anti Theft Technology AT discontinued in 2015 31 32 Serial over LAN SOL 33 Intel Platform Trust Technology PTT a firmware based Trusted Platform Module TPM 28 34 Near Field Communication a middleware for NFC readers and vendors to access NFC cards and provide secure element access found in later MEI versions 35 Security vulnerabilities EditSeveral weaknesses have been found in the ME On May 1 2017 Intel confirmed a Remote Elevation of Privilege bug SA 00075 in its Management Technology 36 Every Intel platform with provisioned Intel Standard Manageability Active Management Technology or Small Business Technology from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME 37 38 Several ways to disable the ME without authorization that could allow ME s functions to be sabotaged have been found 39 40 41 Additional major security flaws in the ME affecting a very large number of computers incorporating ME Trusted Execution Engine TXE and Server Platform Services SPS firmware from Skylake in 2015 to Coffee Lake in 2017 were confirmed by Intel on 20 November 2017 SA 00086 42 43 Unlike SA 00075 this bug is even present if AMT is absent not provisioned or if the ME was disabled by any of the known unofficial methods 44 In July 2018 another set of vulnerabilities was disclosed SA 00112 45 In September 2018 yet another vulnerability was published SA 00125 46 Ring 3 rootkit Edit A ring 3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset it does not work for the later Q45 chipset as Intel implemented additional protections 47 The exploit worked by remapping the normally protected memory region top 16 MB of RAM reserved for the ME The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system as the chipset always contains the ARC ME coprocessor The 3 designation was chosen because the ME coprocessor works even when the system is in the S3 state thus it was considered a layer below the System Management Mode rootkits 18 For the vulnerable Q35 chipset a keystroke logger ME based rootkit was demonstrated by Patrick Stewin 48 49 Zero touch provisioning Edit Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation In particular it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used It also found that the zero touch provisioning mode ZTC is still enabled even when the AMT appears to be disabled in BIOS For about 60 euros Ververis purchased from GoDaddy a certificate that is accepted by the ME firmware and allows remote zero touch provisioning of possibly unsuspecting machines which broadcast their HELLO packets to would be configuration servers 50 SA 00075 a k a Silent Bob is Silent Edit In May 2017 Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability CVE 2017 5689 38 51 36 52 53 The vulnerability which was nicknamed Silent Bob is Silent by the researchers who had reported it to Intel 54 affects numerous laptops desktops and servers sold by Dell Fujitsu Hewlett Packard later Hewlett Packard Enterprise and HP Inc Intel Lenovo and possibly others 54 55 56 57 58 59 60 Those researchers claimed that the bug affects systems made in 2010 or later 61 Other reports claimed the bug also affects systems made as long ago as 2008 62 38 The vulnerability was described as giving remote attackers full control of affected machines including the ability to read and modify everything It can be used to install persistent malware possibly in firmware and read and modify any data Tatu Ylonen ssh com 54 PLATINUM Edit In June 2017 the PLATINUM cybercrime group became notable for exploiting the serial over LAN SOL capabilities of AMT to perform data exfiltration of stolen documents 63 64 65 66 67 68 69 70 SOL is disabled by default and must be enabled to exploit this vulnerability 71 SA 00086 Edit Some months after the previous bugs and subsequent warnings from the EFF 4 security firm Positive Technologies claimed to have developed a working exploit 72 On 20 November 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine mainstream Trusted Execution Engine tablet mobile and Server Platform Services high end server firmware and released a critical firmware update 73 74 Essentially every Intel based computer for the last several years including most desktops and servers were found to be vulnerable to having their security compromised although all the potential routes of exploitation were not entirely known 74 It is not possible to patch the problems from the operating system and a firmware UEFI BIOS update to the motherboard is required which was anticipated to take quite some time for the many individual manufacturers to accomplish if it ever would be for many systems 42 Affected systems 73 Edit Intel Atom C3000 family Intel Atom Apollo Lake E3900 series Intel Celeron N and J series Intel Core i3 i5 i7 i9 1st 2nd 3rd 4th 5th 6th 7th and 8th generation Intel Pentium Apollo Lake Intel Xeon E3 1200 v5 and v6 product family Intel Xeon Scalable family Intel Xeon W familyMitigation Edit None of the known unofficial methods to disable the ME prevent exploitation of the vulnerability A firmware update by the vendor is required However those who discovered the vulnerability note that firmware updates are not fully effective either as an attacker with access to the ME firmware region can simply flash an old vulnerable version and then exploit the bug 44 SA 00112 Edit In July 2018 Intel announced that three vulnerabilities CVE 2018 3628 CVE 2018 3629 CVE 2018 3632 had been discovered and that a patch for the CSME firmware would be required Intel indicated there would be no patch for 3rd generation Core processors or earlier despite chips or their chipsets as far back as Intel Core 2 Duo vPro and Intel Centrino 2 vPro being affected However Intel AMT must be enabled and provisioned for the vulnerability to exist 45 75 Assertions that ME is a backdoor EditCritics like the Electronic Frontier Foundation EFF Libreboot developers and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern 76 4 Zammit stresses that the ME has full access to memory without the owner controlled CPU cores having any knowledge and has full access to the TCP IP stack and can send and receive network packets independently of the operating system thus bypassing its firewall 5 Intel responded by saying that Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user 5 and Intel does not and will not design backdoors for access into its products Recent reports claiming otherwise are misinformed and blatantly false Intel does not participate in any efforts to decrease security of its technology 77 In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency NSA budget request for 2013 contained a Sigint Enabling Project with the goal to Insert vulnerabilities into commercial encryption systems IT systems and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program 78 79 Disabling the ME EditIt is normally not possible for the end user to disable the ME and there is no officially supported method to disable it but some undocumented methods to do so were discovered 42 The ME s security architecture is designed to prevent disabling Intel considers disabling ME to be a security vulnerability as a malware could abuse it to make the computer lose some of the functionality that the typical user expects such as the ability to play media with DRM specifically DRM media that are using HDCP 80 81 But on the other hand it is also possible for malicious actors to use the ME to remotely compromise a system Strictly speaking none of the known methods can disable the ME completely since it is required for booting the main CPU The currently known methods merely make the ME go into abnormal states soon after boot in which it seems not to have any working functionality The ME is still physically connected to the system and its microprocessor continues to execute code citation needed Some manufacturers like Purism and System76 disable Intel Management Engine 82 83 Undocumented methods Edit Firmware neutralization Edit In 2016 the me cleaner project found that the ME s integrity verification is broken The ME is supposed to detect that it has been tampered with and if this is the case shut down the PC forcibly 30 minutes after system start 84 This prevents a compromised system from running undetected yet allows the owner to fix the issue by flashing a valid version of the ME firmware during the grace period As the project found out by making unauthorized changes to the ME firmware it was possible to force it into an abnormal error state that prevented triggering the shutdown even if large parts of the firmware had been overwritten and thus made inoperable High Assurance Platform mode Edit In August 2017 Positive Technologies Dmitry Sklyarov published a method to disable the ME via an undocumented built in mode As Intel has confirmed 85 the ME contains a switch to enable government authorities such as the NSA to make the ME go into High Assurance Platform HAP mode after boot This mode disables most of ME s functions 77 86 and was intended to be available only in machines produced for specific purchasers like the US government however most machines sold on the retail market can be made to activate the switch 86 87 Manipulation of the HAP bit was quickly incorporated into the me cleaner project 88 Commercial ME disablement Edit This article relies excessively on references to primary sources Please improve this article by adding secondary or tertiary sources Find sources Intel Management Engine news newspapers books scholar JSTOR May 2023 Learn how and when to remove this template message From late 2017 on several laptop vendors announced their intentions to ship laptops with the Intel ME disabled or let the end users disable it manually Minifree Ltd has provided Libreboot pre loaded laptops with Intel ME either not present or disabled since at least 2015 89 90 91 Purism previously petitioned Intel to sell processors without the ME or release its source code calling it a threat to users digital rights 92 In March 2017 Purism announced that it had neutralized the ME by erasing the majority of the ME code from the flash memory 93 It further announced in October 2017 94 that new batches of their Librem line of laptops running PureOS will ship with the ME neutralized and additionally disable most ME operation via the HAP bit Updates for existing Librem laptops were also announced In November System76 announced their plan to disable the ME on their new and recent machines which ship with Pop OS via the HAP bit 95 In December Dell began showing certain laptops on its website that offered the Systems Management option Intel vPro ME Inoperable Custom Order for an additional fee Dell has not announced or publicly explained the methods used In response to press requests Dell stated that those systems had been offered for quite a while but not for the general public and had found their way to the website only inadvertently 96 The laptops are available only by custom order and only to military government and intelligence agencies 97 They are specifically designed for covert operations such as providing a very robust case and a stealth operating mode kill switch that disables display LED lights speaker fan and any wireless technology 98 In March 2018 Tuxedo Computers a German company which specializes in PCs which run Linux kernel based operating systems announced an option in the BIOS of their system to disable ME 99 In February 2021 Nitrokey a German company specialized in producing Security Tokens announced NitroPC a device identical to Purism s Librem Mini 100 In January 2023 monocles a German start up which offers several privacy friendly and secure services and devices sells the monocles book 1 a refurbished notebook with disabled Intel ME and plans to produce own Notebooks without Intel ME from factory 101 Effectiveness against vulnerabilities Edit Neither of the two methods to disable the ME discovered so far turned out to be an effective countermeasure against the SA 00086 vulnerability 44 This is because the vulnerability is in an early loaded ME module that is essential to boot the main CPU citation needed Reactions EditBy Google Edit As of 2017 update Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that 42 By AMD processor vendors Edit Shortly after SA 00086 was patched vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor 102 a subsystem with similar function as the ME See also EditAMD Platform Security Processor ARM TrustZone Intel AMT versions Intel vPro Meltdown security vulnerability Microsoft Pluton Next Generation Secure Computing Base Samsung Knox Spectre security vulnerability Trusted Computing Trusted Execution Technology Trusted Platform ModuleReferences Edit a b c Oster Joseph E September 3 2019 Getting Started with Intel Active Management Technology Intel AMT Intel Retrieved September 22 2020 a b Intel AMT and the Intel ME Intel Archived from the original on February 21 2019 a href Template Cite web html title Template Cite web cite web a CS1 maint unfit URL link Frequently Asked Questions for the Intel Management Engine Verification Utility Built into many Intel Chipset based platforms is a small low power computer subsystem called the Intel Management Engine Intel ME a b c Portnoy Erica Eckersley Peter May 8 2017 Intel s Management Engine is a security hazard and users need a way to disable it Electronic Frontier Foundation Retrieved February 21 2020 a b c Wallen Jack July 1 2016 Is the Intel Management Engine a backdoor Frequently Asked Questions for the Intel Management Engine Verification Utility The Intel ME performs various tasks while the system is in sleep during the boot process and when your system is running Black Hat Europe 2017 BlackHat com Frequently Asked Questions for the Intel Management Engine Verification Utility This subsystem must function correctly to get the most performance and capability from your PC Hoffman Chris Intel Management Engine Explained The Tiny Computer Inside Your CPU How To Geek Eckersley Erica Portnoy and Peter May 8 2017 Intel s Management Engine is a security hazard and users need a way to disable it Electronic Frontier Foundation a b Intel ME huffman dictionaries Unhuffme v2 4 IO NetGarage org a b Positive Technologies Blog Disabling Intel ME 11 via undocumented mode Archived from the original on August 28 2017 Retrieved August 30 2017 a b Igor Skochinsky Hex Rays Rootkit in your laptop Ruxcon Breakpoint 2012 Intel Ethernet Controller I210 Datasheet PDF Intel 2013 pp 1 15 52 621 776 Retrieved November 9 2013 Intel Ethernet Controller X540 Product Brief PDF Intel 2012 Retrieved February 26 2014 Archived copy Archived from the original on November 1 2014 Retrieved February 25 2014 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Introduction The Linux Kernel documentation Kernel org a b Rutkowska Joanna A Quest to the Core PDF Invisiblethingslab com Retrieved May 25 2016 Archived copy PDF Archived from the original PDF on February 11 2014 Retrieved February 26 2014 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Platforms II PDF Users nik uni obuda hu Retrieved May 25 2016 a b FatTwin F618R3 FT F618R3 FTPT User s Manual PDF Super Micro The Manageability Engine which is an ARC controller embedded in the IOH I O Hub provides Server Platform Services SPS to your system The services provided by SPS are different from those provided by the ME on client platforms Intel Xeon Processor E3 1200 v6 Product Family Product Brief Intel Intel Server Platform Services Intel SPS Designed for managing rack mount servers Intel Server Platform Services provides a suite of tools to control and monitor power thermal and resource utilization Intel Xeon Processor D 1500 Product Family PDF Intel Intel Trusted Execution Engine Driver Dell This package provides the drivers for the Intel Trusted Execution Engine and is supported on Dell Venue 11 Pro 5130 Tablet a b Intel Trusted Execution Engine Driver for Intel NUC Kit NUC5CPYH NUC5PPYH NUC5PGYH Intel Installs the Intel Trusted Execution Engine Intel TXE driver and firmware for Windows 10 and Windows 7 8 1 64 bit The Intel TXE driver is required for Secure Boot and platform security features Intel ME The Way of the Static Analysis Troopers 2017 Positive Technologies Blog The Way of the Static Analysis a b Intel Hardware based Security Technologies for Intelligent Retail Devices PDF Intel Intel Quiet System Technology 2 0 Programmer s Reference Manual PDF Intel February 2010 Retrieved August 25 2014 The Intel Management Engine a Privacy Nightmare ProPrivacy com September 2012 Patrick Kennedy 21 September 21 2012 Intel vPro In 2012 Small Business Advantage And Anti Theft Tech Tom s Hardware McAfee KB End of Life for McAfee Intel Anti Theft TS101986 service mcafee com Archived from the original on August 1 2020 Retrieved September 10 2020 Using Intel AMT serial over LAN to the fullest Intel How To Enable BitLocker With Intel PTT and No TPM For Better Security Legit Reviews May 8 2019 Retrieved September 8 2020 MEI NFC a b Intel Active Management Technology Intel Small Business Technology and Intel Standard Manageability Escalation of Privilege Intel com March 17 2020 Retrieved September 22 2020 Charlie Demerjian May 1 2017 Remote security exploit in all 2008 Intel platforms SemiAccurate Retrieved May 7 2017 a b c Red alert Intel patches remote execution hole that s been hidden in chips since 2010 TheRegister co uk Retrieved May 7 2017 Alaoui Youness October 19 2017 Deep dive into Intel Management Engine disablement Alaoui Youness March 9 2017 Neutralizing the Intel Management Engine on Librem Laptops Positive Technologies Blog Disabling Intel ME 11 via undocumented mode Archived from the original on August 28 2017 Retrieved August 30 2017 a b c d Intel Patches Major Flaws in the Intel Management Engine Extreme Tech Claburn Thomas November 20 2017 Intel finds critical holes in secret Management Engine hidden in tons of desktop server chipsets The Register a b c Intel Management Engine pwned by buffer overflow TheRegister com a b INTEL SA 00112 Intel INTEL SA 00125 Intel Invisible Things Lab to present two new technical presentations disclosing system level vulnerabilities affecting modern PC hardware at its core PDF Invisiblethingslab com Archived from the original PDF on April 12 2016 Retrieved May 25 2016 FG Security in telecommunications Evaluating Ring 3 Rootkits PDF Stewin org Archived from the original PDF on March 4 2016 Retrieved May 25 2016 Persistent Stealthy Remote controlled Dedicated Hardware Malware PDF Stewin org Archived from the original PDF on March 3 2016 Retrieved May 25 2016 Security Evaluation of Intel s Active Management Technology PDF Web it kth se Retrieved May 25 2016 CVE CVE 2017 5689 Cve mitre org Archived from the original on May 5 2017 Retrieved May 7 2017 Intel Hidden Management Engine x86 Security Risk Darknet June 16 2016 Retrieved May 7 2017 Garrett Matthew May 1 2017 Intel s remote AMT vulnerablity mjg59 dreamwidth org Retrieved May 7 2017 a b c 2017 05 05 ALERT Intel AMT EXPLOIT OUT IT S BAD DISABLE AMT NOW Ssh com Accessdate 2017 05 07 Archived from the original on March 5 2018 Retrieved November 25 2017 Dan Goodin May 6 2017 The Hijacking Flaw That Lurked in Intel Chips Is Worse than Anyone Thought Ars Technica Retrieved May 8 2017 General BIOS updates due to Intel AMT IME vulnerability General Hardware Laptop Dell Community En Community Dell com May 2 2017 Retrieved May 7 2017 Advisory note Intel Firmware vulnerability Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe Middle East Africa amp India Support ts fujitsu com May 1 2017 Retrieved May 8 2017 HPE HPE CS700 2 0 for VMware H22208 www2 hpe com May 1 2017 Retrieved May 7 2017 Intel Security Advisory regarding escalation o Intel Communities Communities Intel com May 4 2017 Retrieved May 7 2017 Intel Active Management Technology Intel Small Business Technology and Intel Standard Manageability Remote Privilege Escalation Support lenovo com Retrieved May 7 2017 MythBusters CVE 2017 5689 Embedi com May 2 2017 Archived from the original on August 17 2018 Charlie Demerjian May 1 2017 Remote security exploit in all 2008 Intel platforms SemiAccurate com Retrieved May 7 2017 Sneaky hackers use Intel management tools to bypass Windows firewall June 9 2017 Retrieved June 10 2017 Tung Liam Windows firewall dodged by hot patching spies using Intel AMT says Microsoft ZDNet ZDNet Retrieved June 10 2017 PLATINUM continues to evolve find ways to maintain invisibility June 7 2017 Retrieved June 10 2017 Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls Retrieved June 10 2017 Hackers abuse low level management feature for invisible backdoor iTnews Retrieved June 10 2017 Vxers exploit Intel s Active Management for malware over LAN The Register TheRegister co uk Retrieved June 10 2017 Security heise Intel Fernwartung AMT bei Angriffen auf PCs genutzt Security Retrieved June 10 2017 PLATINUM activity group file transfer method using Intel AMT SOL Channel 9 Retrieved June 10 2017 Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls BleepingComputer Black Hat Europe 2017 BlackHat com a b Intel Management Engine Critical Firmware Update Intel SA 00086 Intel a b Newman Lily Hay Intel Chip Flaws Leave Millions of Devices Exposed Wired Intel Active Management Technology 9 x 10 x 11 x Security Review Intel Cimpanu Catalin June 17 2016 Intel x86 CPUs Come with a Secret Backdoor That Nobody Can Touch or Disable softpedia a b Intel ME controller chip has secret kill switch TheRegister com Documents Reveal N S A Campaign Against Encryption The New York Times Leserforum C t 2018 7 10 11 March 16 2018 HDCP 2 2 Content Protection Being Worked On For The i915 DRM Driver HDCP 2 2 Support Updated For The Intel DRM Linux Driver What is Intel Management Engine and what are concerns with it regarding Librem laptops Major Updates for System76 Open Firmware corna me cleaner September 10 2020 via GitHub Researchers Find a Way to Disable Much Hated Intel ME Component Courtesy of the NSA BleepingComputer a b Research Author Positive Disabling Intel ME 11 via undocumented mode Archived from the original on December 1 2020 a href Template Cite web html title Template Cite web cite web a first has generic name help corna me cleaner GitHub March 19 2022 Set the HAP bit ME gt 11 or the AltMeDisable bit ME lt 11 corna me cleaner ced3b46 GitHub Libreboot T400 laptop now FSF certified to respect your freedom Free Software Foundation Working together for free software www fsf org Retrieved April 30 2023 Barwaldt Erik Liberated Linux Magazine Linux Magazine Retrieved April 30 2023 Biggs John August 11 2017 The Minifree Libreboot T400 is free as in freedom TechCrunch Retrieved April 30 2023 Petition for Intel to Release an ME Less CPU Design June 16 2016 Archived from the original on June 16 2016 Alaoui Youness March 9 2017 Neutralizing the Intel Management Engine on Librem Laptops puri sm Retrieved December 13 2017 Purism Librem Laptops Completely Disable Intel s Management Engine October 19 2017 System76 ME Firmware Updates Plan System76 Blog Dell Sells PCs without Intel s Management Engine but with Tradeoffs ExtremeTech com online heise Dell schaltet Intel Management Engine in Spezial Notebooks ab heise online Dell Latitude 14 Rugged 5414 Series Owner s Manual Dell com TUXEDO deaktiviert Intels Management Engine TUXEDO Computers www tuxedocomputers com Retrieved February 7 2021 NitroPC Powerful and Secure Mini PC www nitrokey com Retrieved December 8 2021 monocles book 1 monocles store Retrieved January 30 2023 AMD Reportedly Allows Disabling PSP Secure Processor With Latest AGESA Phoronix Phoronix com December 7 2017 Retrieved April 16 2019 External links EditIntel SA 00086 security vulnerability detection tool Behind the Scenes of Intel Security and Manageability Engine Retrieved from https en wikipedia org w index php title Intel Management Engine amp oldid 1180394050, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.