It's been a year since we warned that Intel's Management Engine -- a separate computer within your own computer, intended to verify and supervise the main system -- presented a terrifying, unauditable security risk that could lead to devastating, unstoppable attacks. Guess what happened next?
For the past week, the IT press has been full of news about the AMT module in the Management Engine making millions of systems vulnerable to local and remote attacks, with a firmware update to disable the module as the only really comprehensive solution. But AMT is only one of the many components of ME, and every one of them could have a vulnerability as grave as this one -- and Intel is not offering any way to turn off ME altogether, meaning that there's a lot of this in our future.
ME is a brilliant example of why declaring war on general-purpose computing is a terrible idea. There are lots of reasons to want a computer that can only run some programs (instead of every program): preventing poisoned operating systems and other malware, preventing game cheating, enforcing copyright restrictions (DRM), etc... Every one of them is presented as a use-case for ME.
But ME isn't a way of designing a computer that can only run "good" programs. Instead, it's a way of putting your general-purpose, universal computer under the supervision of another general-purpose, universal computer, and declaring this second computer (the ME system) to be off-limits to auditing, user-control, modification, etc. That works great, provided that your second computer has perfect security and zero flaws in its programming. But if there is even a single, minor flaw in that second system, you now have a devastating security disaster, because your main computer, by design, can't tell you what that second system is doing, nor can it override the instructions that the supervising system sends it -- once that supervising system is compromised, it's game over.
Intel won't tell us how to disable ME altogether for lots of reasons, but a big one is surely the fact that they've sold lots of entertainment companies on the promise of using ME for DRM -- for example, to stop you from running a program that converts one of the W3C's DRM-locked video streams into a download. Letting you shut down this back door into your computer -- and your whole digital life -- would also eliminate the means by which Intel plans to stop you from watching TV the wrong way. This is a terrible trade-off.
So we call upon Intel to:
Provide clear documentation for the software modules that are preinstalled on various Management Engines. What HECI commands provide a full list of the installed modules/services? What are the interfaces to those services?
Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
Offer a supported way to disable the ME. If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
On systems where the ME is an essential requirement for other security features that are important to some users (like Boot Guard), offer an additional option of a near-minimal, community-auditable ME firmware image that performs these security functions, and nothing else. Or alternatively, a supported way to build and flash firmware images where the user can inspect and control which services/modules are present, in order to manage security risks from those modules.
Until Intel takes these steps, we have reason to fear that the undocumented master controller inside our Intel chips could continue to be a source of serious vulnerabilities in personal computers, servers, and critical cybersecurity and physical infrastructure. Intel needs to act quickly to provide the community with an auditable solution to these threats.
[Peter Eckersley and Erica Portnoy/Electronic Frontier Foundation]
(Banner: PIC12C508-HD, ZeptoBars, CC-BY; Diagram, CC0)