Intel Management Engine

The Management Engine is often confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer,{{cite web |last=Wallen |first=Jack |date=July 1, 2016 |title=Is the Intel Management Engine a backdoor? |url=https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/}} such as powering it on or off, and reinstalling the operating system.

However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.

The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep.{{cite web |title=Frequently Asked Questions for the Intel Management Engine Verification Utility |url=https://www.intel.com/content/www/us/en/support/articles/000005974/software/chipset-software.html |quote=The Intel ME performs various tasks while the system is in sleep, during the boot process, and when your system is running.}} As long as the chipset or SoC is supplied with power (via battery or power supply), it continues to run even when the system is turned off.{{Cite web|url=https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668|title=Black Hat Europe 2017|website=BlackHat.com}} Intel claims the ME is required to provide full performance.{{cite web |title=Frequently Asked Questions for the Intel Management Engine Verification Utility |url=https://www.intel.com/content/www/us/en/support/articles/000005974/software/chipset-software.html |quote=This subsystem must function correctly to get the most performance and capability from your PC.}} Its exact workings{{Cite web|url=https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu/|title=Intel Management Engine, Explained: The Tiny Computer Inside Your CPU|first=Chris|last=Hoffman|website=How-To Geek|date=November 22, 2017 }} are largely undocumented{{Cite web|url=https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it|title=Intel's Management Engine is a security hazard, and users need a way to disable it|first=Erica Portnoy and Peter|last=Eckersley|date=May 8, 2017|website=Electronic Frontier Foundation}} and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.{{Cite web|url=http://io.netgarage.org/me/|title=Intel ME huffman dictionaries - Unhuffme v2.4|website=IO.NetGarage.org}}

Starting with ME 11 (introduced in Skylake CPUs), it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system.{{cite web |url=http://blog.ptsecurity.com/2017/08/disabling-intel-me.html |title=Positive Technologies Blog: Disabling Intel ME 11 via undocumented mode |access-date=2017-08-30 |archive-date=August 28, 2017 |archive-url=https://web.archive.org/web/20170828150536/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html |url-status=dead }} The ME firmware is stored in a partition of the SPI BIOS Flash, using the Embedded Flash File System (EFFS). Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor could also execute signed Java applets.

The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).{{cite web | url = http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-ethernet-controller-datasheet.pdf | title = Intel Ethernet Controller I210 Datasheet | year = 2013 | access-date = November 9, 2013 | publisher = Intel | pages = 1, 15, 52, 621–776 }}{{cite web | url = http://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ethernet-x540-brief.pdf | title = Intel Ethernet Controller X540 Product Brief | year = 2012 | access-date = February 26, 2014 | publisher = Intel }} The ME also communicates with the host via PCI interface.Igor Skochinsky (Hex-Rays) [http://2012.ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%202012%20Skochinsky.pdf Rootkit in your laptop], Ruxcon Breakpoint 2012 Under Linux, communication between the host and the ME is done via {{mono|/dev/mei}} or {{mono|/dev/mei0}}.{{cite web|url=https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt |title=Archived copy |access-date=February 25, 2014 |url-status=dead |archive-url=https://web.archive.org/web/20141101045709/https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt |archive-date=November 1, 2014 }}{{Cite web|url=https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html|title=Introduction — The Linux Kernel documentation|website=Kernel.org}}

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.{{cite web|url=http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20%28public%29.pdf |title=A Quest to the Core |first=Joanna |last=Rutkowska |website=Invisiblethingslab.com |access-date=2016-05-25}} With the newer Intel architectures (Intel 5 Series onwards), the ME is integrated into the Platform Controller Hub (PCH).{{cite web|url=http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/celeron-mobile-p4000-u3000-datasheet.pdf |title=Archived copy |access-date=February 26, 2014 |url-status=dead |archive-url=https://web.archive.org/web/20140211075753/http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/celeron-mobile-p4000-u3000-datasheet.pdf |archive-date=February 11, 2014 }}{{cite web|url=http://users.nik.uni-obuda.hu/sima/letoltes/magyar/SZA2011_osz/nappali/Platforms-3_E_2011_12_14.ppt |format=PDF |title=Platforms II |website=Users.nik.uni-obuda.hu |access-date=2016-05-25}}

By Intel's current terminology as of 2017, ME is one of several firmware sets for the Converged Security and Manageability Engine (CSME). Prior to AMT version 11, CSME was called Intel Management Engine BIOS Extension (Intel MEBx).

• Management Engine (ME) – mainstream chipsets
• Server Platform Services (SPS) – server chipsets and SoCs{{cite web|url=https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200-v6-family-brief.html|title=Intel Xeon Processor E3-1200 v6 Product Family Product Brief|quote=Intel Server Platform Services (Intel SPS): Designed for managing rack-mount servers, Intel Server Platform Services provides a suite of tools to control and monitor power, thermal, and resource utilization.|publisher=Intel}}{{cite web|url=https://www.supermicro.com/manuals/superserver/4U/MNL-1765.pdf|title=FatTwin F618R3-FT+ F618R3-FTPT+ User's Manual|quote=The Manageability Engine, which is an ARC controller embedded in the IOH (I/O Hub), provides Server Platform Services (SPS) to your system. The services provided by SPS are different from those provided by the ME on client platforms.|publisher=Super Micro}}{{cite web|url=https://www.intel.com/content/dam/www/public/us/en/documents/platform-briefs/xeon-processor-d-platform-brief.pdf|title=Intel Xeon Processor D-1500 Product Family|publisher=Intel}}
• Trusted Execution Engine (TXE) – tablet/embedded/low power{{cite web|url=https://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=K9HM7|title=Intel Trusted Execution Engine Driver|quote=This package provides the drivers for the Intel Trusted Execution Engine and is supported on Dell Venue 11 Pro 5130 Tablet|publisher=Dell}}{{cite web|url=https://downloadcenter.intel.com/download/24892/Intel-Trusted-Execution-Engine-Driver-for-Intel-NUC-Kit-NUC5CPYH-NUC5PPYH-NUC5PGYH|title=Intel Trusted Execution Engine Driver for Intel NUC Kit NUC5CPYH, NUC5PPYH, NUC5PGYH|publisher=Intel|quote=Installs the Intel Trusted Execution Engine (Intel TXE) driver and firmware for Windows 10 and Windows 7*/8.1*, 64-bit. The Intel TXE driver is required for Secure Boot and platform security features.}}

It was also found that the ME firmware version 11 runs MINIX 3.[https://www.troopers.de/downloads/troopers17/TR17_ME11_Static.pdf Positive Technologies Blog:The Way of the Static Analysis] Management of the ME modules for provisioning inside the UEFI is done via a tool called Intel Flash Image Tool (FITC).

• Active Management Technology (AMT)
• Intel Boot Guard (IBG){{cite web|url=https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf|title=Intel Hardware-based Security Technologies for Intelligent Retail Devices|publisher=Intel}} and Secure Boot
• Quiet System Technology (QST), formerly known as Advanced Fan Speed Control (AFSC), which provides support for acoustically optimized fan speed control, and monitoring of temperature, voltage, current and fan speed sensors that are provided in the chipset, CPU and other devices present on the motherboard. Communication with the QST firmware subsystem is documented and available through the official software development kit (SDK).{{cite web | url = https://software.intel.com/sites/default/files/af/73/Intel_QST_Programmers_Reference_Manual.pdf | title = Intel Quiet System Technology 2.0: Programmer's Reference Manual | date = February 2010 | access-date = August 25, 2014 | publisher = Intel }}
• Protected Audio Video Path, enforces HDCP{{Cite web|url=https://proprivacy.com/privacy-news/intel-management-engine|title=The Intel Management Engine – a Privacy Nightmare|website=ProPrivacy.com}}
• Intel Anti-Theft Technology (AT), discontinued in 2015{{Cite web|url=https://www.tomshardware.com/reviews/vpro-anti-theft-small-business-advantage,3259.html|title=Intel vPro In 2012, Small Business Advantage, And Anti-Theft Tech.|first=Patrick Kennedy 21|last=September 2012|website=Tom's Hardware|date=September 21, 2012}}{{Cite web|url=https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS101986&leftWidth=0%25&showFooter=false&showHeader=false&rightWidth=0%25¢erWidth=100%25&_afrLoop=383304777056094#!@@?showFooter=false&_afrLoop=383304777056094&articleId=TS101986&leftWidth=0%2525&showHeader=false&wc.contextURL=%252Fspaces%252Fcp&rightWidth=0%2525¢erWidth=100%2525&_adf.ctrl-state=o56hl18tm_9|title=McAfee KB - End of Life for McAfee/Intel Anti-Theft (TS101986)|website=service.mcafee.com|access-date=September 10, 2020|archive-date=August 1, 2020|archive-url=https://web.archive.org/web/20200801222002/https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS101986&leftWidth=0%25&showFooter=false&showHeader=false&rightWidth=0%25¢erWidth=100%25&_afrLoop=383304777056094#!@@?showFooter=false&_afrLoop=383304777056094&articleId=TS101986&leftWidth=0%2525&showHeader=false&wc.contextURL=%252Fspaces%252Fcp&rightWidth=0%2525¢erWidth=100%2525&_adf.ctrl-state=o56hl18tm_9|url-status=dead}}
• Serial over LAN (SOL){{cite web|url=https://software.intel.com/en-us/articles/using-intel-amt-serial-over-lan-to-the-fullest|title=Using Intel AMT serial-over-LAN to the fullest|publisher=Intel}}
• Intel Platform Trust Technology (PTT), a firmware-based Trusted Platform Module (TPM){{Cite web|date=2019-05-08|title=How To Enable BitLocker With Intel PTT and No TPM For Better Security|url=https://www.legitreviews.com/how-to-enable-bitlocker-with-intel-ptt-and-no-tpm-for-better-security_211713|access-date=2020-09-08|website=Legit Reviews}}
• Near Field Communication, a middleware for NFC readers and vendors to access NFC cards and provide secure element access, found in later MEI versions.{{cite web|url=https://www.kernel.org/doc/html/latest/driver-api/mei/nfc.html|title=MEI NFC}}

Several weaknesses have been found in the ME. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug (SA-00075) in its Management Technology.{{cite web|url=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html |title=Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege |website=Intel.com |date=March 17, 2020 |access-date=September 22, 2020}} Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME.{{cite web|author=Charlie Demerjian |url=https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/ |title=Remote security exploit in all 2008+ Intel platforms |publisher=SemiAccurate |date=2017-05-01 |access-date=2017-05-07}}{{cite web|url=https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ |title=Red alert! Intel patches remote execution hole that's been hidden in chips since 2010 |website=TheRegister.co.uk |access-date=2017-05-07}} Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found.{{cite web |last1=Alaoui |first1=Youness |date=October 19, 2017 |title=Deep dive into Intel Management Engine disablement |url=https://puri.sm/posts/deep-dive-into-intel-me-disablement/ }}{{cite web |last1=Alaoui |first1=Youness |date=March 9, 2017 |title=Neutralizing the Intel Management Engine on Librem Laptops |url=https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/}} Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).{{cite web|url=https://www.extremetech.com/computing/259426-intel-patches-major-flaws-intel-management-engine|title=Intel Patches Major Flaws in the Intel Management Engine|publisher=Extreme Tech}}{{cite web |last=Claburn |first=Thomas |date=20 November 2017 |title=Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets |website=The Register |url=https://www.theregister.com/2017/11/20/intel_flags_firmware_flaws/}} Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods.{{Cite web|url=https://www.theregister.com/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/|title=Intel Management Engine pwned by buffer overflow|website=TheRegister.com}} In July 2018, another set of vulnerabilities was disclosed (SA-00112).{{Cite web|url=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html|title=INTEL-SA-00112|website=Intel}} In September 2018, yet another vulnerability was published (SA-00125).{{Cite web|url=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html|title=INTEL-SA-00125|website=Intel}}

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections.{{cite web |url=http://invisiblethingslab.com/press/itl-press-2009-03.pdf |title=Invisible Things Lab to present two new technical presentations disclosing system-level vulnerabilities affecting modern PC hardware at its core |website=Invisiblethingslab.com |access-date=2016-05-25 |archive-url=https://web.archive.org/web/20160412045958/http://invisiblethingslab.com/press/itl-press-2009-03.pdf |archive-date=2016-04-12 |url-status=dead }} The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the S3 state. Thus, it was considered a layer below the System Management Mode rootkits.) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.{{cite web |url=http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf |title=FG Security in telecommunications : Evaluating "Ring-3" Rootkits |website=Stewin.org |access-date=2016-05-25 |archive-url=https://web.archive.org/web/20160304033404/http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf |archive-date=2016-03-04 |url-status=dead }}{{cite web |url=http://stewin.org/slides/44con_2013-dedicated_hw_malware-stewin_bystrov.pdf |title=Persistent, Stealthy Remote-controlled Dedicated Hardware Malware |website=Stewin.org |access-date=2016-05-25 |archive-url=https://web.archive.org/web/20160303222145/http://stewin.org/slides/44con_2013-dedicated_hw_malware-stewin_bystrov.pdf |archive-date=2016-03-03 |url-status=dead }}

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from GoDaddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.{{cite web|url=http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf |title=Security Evaluation of Intel's Active Management Technology |website=Web.it.kth.se |access-date=2016-05-25}}

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability (CVE-2017-5689).{{cite web |url=https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689 |title=CVE - CVE-2017-5689 |website=Cve.mitre.org |access-date=2017-05-07 |archive-url=https://web.archive.org/web/20170505125225/http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689 |archive-date=2017-05-05 |url-status=dead }}{{cite web|url=https://www.darknet.org.uk/2016/06/intel-hidden-management-engine-x86-security-risk/ |title=Intel Hidden Management Engine - x86 Security Risk? |publisher=Darknet |date=2016-06-16 |access-date=2017-05-07}}{{cite web|last=Garrett |first=Matthew |url=https://mjg59.dreamwidth.org/48429.html |title=Intel's remote AMT vulnerablity{{sic|hide=y}} |website=mjg59.dreamwidth.org |date=2017-05-01 |access-date=2017-05-07}} The vulnerability was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel.{{cite web|url=https://www.ssh.com/vulnerability/intel-amt/|title=2017-05-05 ALERT! Intel AMT EXPLOIT OUT! IT'S BAD! DISABLE AMT NOW!|website=Ssh.com\Accessdate=2017-05-07|access-date=November 25, 2017|archive-date=March 5, 2018|archive-url=https://web.archive.org/web/20180305001456/https://www.ssh.com/vulnerability/intel-amt/|url-status=dead}} It affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and possibly others.{{cite web|author=Dan Goodin |url=https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/ |title=The Hijacking Flaw That Lurked in Intel Chips Is Worse than Anyone Thought |publisher=Ars Technica |date=2017-05-06 |access-date=2017-05-08}}{{cite web |url=http://en.community.dell.com/support-forums/laptop/f/3518/t/20011662 |title=General: BIOS updates due to Intel AMT IME vulnerability - General Hardware - Laptop - Dell Community |website=En.Community.Dell.com |date=May 2, 2017 |access-date=2017-05-07 |archive-date=May 11, 2017 |archive-url=https://web.archive.org/web/20170511075221/http://en.community.dell.com/support-forums/laptop/f/3518/t/20011662 |url-status=dead }}{{cite web|url=http://support.ts.fujitsu.com/content/Intel_Firmware.asp |title=Advisory note: Intel Firmware vulnerability – Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe, Middle East, Africa & India |publisher=Support.ts.fujitsu.com |date=2017-05-01 |access-date=2017-05-08}}{{cite web |url=http://h22208.www2.hpe.com/eginfolib/securityalerts/CVE-2017-5689-Intel/CVE-2017-5689.html |title=HPE | HPE CS700 2.0 for VMware |website=H22208.www2.hpe.com |date=2017-05-01 |access-date=2017-05-07 |archive-date=May 8, 2017 |archive-url=https://web.archive.org/web/20170508041543/http://h22208.www2.hpe.com/eginfolib/securityalerts/CVE-2017-5689-Intel/CVE-2017-5689.html |url-status=dead }}{{cite web|url=https://communities.intel.com/thread/114071 |title=Intel Security Advisory regarding escalation o... |Intel Communities |website=Communities.Intel.com |date=May 4, 2017 |access-date=2017-05-07}}{{cite web|url=https://support.lenovo.com/us/en/product_security/LEN-14963 |title=Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation |website=Support.lenovo.com |access-date=2017-05-07}} Those researchers claimed that the bug affects systems made in 2010 or later.{{cite web

|url=https://www.embedi.com/news/mythbusters-cve-2017-5689

|archive-url=https://web.archive.org/web/20180817215423/https://embedi.com/news/mythbusters-cve-2017-5689

|archive-date=2018-08-17

|title=MythBusters: CVE-2017-5689

|website=Embedi.com

|date=2017-05-02

}} Other reports claimed the bug also affects systems made as long ago as 2008.{{cite web|author=Charlie Demerjian |url=https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/ |title=Remote security exploit in all 2008+ Intel platforms |website=SemiAccurate.com |date=2017-05-01 |access-date=2017-05-07}} The vulnerability was described as giving remote attackers:

{{Blockquote|text="full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data." |author=Tatu Ylönen|source=ssh.com}}

In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.{{cite web|url=https://arstechnica.com/security/2017/06/sneaky-hackers-use-intel-management-tools-to-bypass-windows-firewall/|title=Sneaky hackers use Intel management tools to bypass Windows firewall|date=June 9, 2017|access-date=10 June 2017}}{{cite web|url=https://www.zdnet.com/article/windows-firewall-dodged-by-hot-patching-spies-using-intel-amt-says-microsoft/|title=Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft - ZDNet|first=Liam|last=Tung|website=ZDNet|access-date=10 June 2017}}{{cite web|url=https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/|title=PLATINUM continues to evolve, find ways to maintain invisibility|date=June 7, 2017|access-date=10 June 2017}}{{cite web|url=https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/|title=Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls|access-date=10 June 2017}}{{cite web|url=https://www.itnews.com.au/news/hackers-abuse-low-level-management-feature-for-invisible-backdoor-464499|title=Hackers abuse low-level management feature for invisible backdoor|website=iTnews|access-date=10 June 2017}}{{cite web|url=https://www.theregister.co.uk/AMP/2017/06/08/vxers_exploit_intels_amt_for_malwareoverlan/|title=Vxers exploit Intel's Active Management for malware-over-LAN • The Register|website=TheRegister.co.uk|access-date=10 June 2017}}{{cite web|url=https://www.heise.de/security/meldung/Intel-Fernwartung-AMT-bei-Angriffen-auf-PCs-genutzt-3739441.html|title=Intel-Fernwartung AMT bei Angriffen auf PCs genutzt|first=heise|last=Security|website=Security|date=June 9, 2017 |access-date=10 June 2017}}{{cite web|url=https://channel9.msdn.com/Shows/Windows-Security-Blog/PLATINUM-activity-group-file-transfer-method-using-Intel-AMT-SOL|title=PLATINUM activity group file-transfer method using Intel AMT SOL|website=Channel 9|access-date=10 June 2017}} SOL is disabled by default and must be enabled to exploit this vulnerability.{{Cite web|url=https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/|title=Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls|website=BleepingComputer}}

Some months after the previous bugs, and subsequent warnings from the EFF, security firm Positive Technologies claimed to have developed a working exploit.{{Cite web|url=https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668|title=Black Hat Europe 2017|website=BlackHat.com}} On 20 November 2017, Intel confirmed that a number of serious flaws had been found in the Management Engine (mainstream), Trusted Execution Engine (tablet/mobile), and Server Platform Services (high end server) firmware, and released a "critical firmware update".{{cite web|url=https://www.intel.com/content/www/us/en/support/articles/000025619/software.html|title=Intel Management Engine Critical Firmware Update (Intel SA-00086)|publisher=Intel}}{{cite magazine|url=https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/|title=Intel Chip Flaws Leave Millions of Devices Exposed|magazine=Wired|last1=Newman|first1=Lily Hay}} Essentially, every Intel-based computer for the last several years, including most desktops and servers, were found to be vulnerable to having their security compromised, although all the potential routes of exploitation were not entirely known. It is not possible to patch the problems from the operating system, and a firmware (UEFI, BIOS) update to the motherboard is required, which was anticipated to take quite some time for the many individual manufacturers to accomplish, if it ever would be for many systems.

Source:

• Intel Atom – C3000 family
• Intel Atom – Apollo Lake E3900 series
• Intel Celeron – N and J series
• Intel Core (i3, i5, i7, i9) – 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation
• Intel Pentium – Apollo Lake
• Intel Xeon – E3-1200 v5 and v6 product family
• Intel Xeon – Scalable family
• Intel Xeon – W family

None of the known unofficial methods to disable the ME prevent exploitation of the vulnerability. A firmware update by the vendor is required. However, those who discovered the vulnerability note that firmware updates are not fully effective either, as an attacker with access to the ME firmware region can simply flash an old, vulnerable version and then exploit the bug.

In July 2018, Intel announced that three vulnerabilities ({{CVE|2018-3628|2018-3629|2018-3632}}) had been discovered and that a patch for the CSME firmware would be required. Intel indicated there would be no patch for 3rd generation Core processors or earlier despite chips or their chipsets as far back as Intel Core 2 Duo vPro and Intel Centrino 2 vPro being affected. However, Intel AMT must be enabled and provisioned for the vulnerability to exist.{{Cite web|url=https://www.intel.com/content/www/ca/en/support/articles/000029388/software/chipset-software.html|title=Intel Active Management Technology 9.x/10.x/11.x Security Review...|website=Intel}}

Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern.{{Cite web|url=https://news.softpedia.com/news/intel-x86-cpus-come-with-a-secret-backdoor-that-nobody-can-touch-or-disable-505347.shtml|title=Intel x86 CPUs Come with a Secret Backdoor That Nobody Can Touch or Disable|first=Catalin|last=Cimpanu|website=softpedia|date=June 17, 2016}} Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.

Intel responded by saying, "Intel does not put backdoors in its products, nor do our products give Intel control or access to computing systems without the explicit permission of the end user." and "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease the security of its technology."

It is normally not possible for the end-user to disable the ME and there is no officially supported method to disable it, but some undocumented methods to do so were discovered. The ME's security architecture is designed to prevent disabling. Intel considers disabling the ME to be a security vulnerability, as a malware could abuse it to make the computer lose some of the functionality that the typical user expects, such as the ability to play media with DRM, specifically DRM media that is using HDCP.{{cite web|url=https://www.phoronix.com/news/HDCP-2.2-For-i915-DRM|title=HDCP 2.2 Content Protection Being Worked On For The i915 DRM Driver}}{{cite web|url=https://www.phoronix.com/news/HDCP-2.2-Intel-Linux-Driver|title=HDCP 2.2 Support Updated For The Intel DRM Linux Driver}} On the other hand, it is also possible for malicious actors to use the ME to remotely compromise a system.

Strictly speaking, none of the known methods can disable the ME completely, since it is required for booting the main CPU. The currently known methods merely make the ME go into abnormal states soon after boot, in which it seems not to have any working functionality. The ME is still physically connected to the system and its microprocessor continues to execute code.{{Citation needed|date=September 2021|reason=There's no source citated that support this statement}} Some manufacturers like Purism and System76 disable the Intel Management Engine.{{cite web|url=https://puri.sm/faq/what-is-intel-management-engine-and-what-are-concerns-with-it-regarding-librem-laptops/|title=What is Intel Management Engine and what are concerns with it regarding Librem laptops?|date=September 27, 2018 }}{{cite web|url=https://blog.system76.com/post/major-updates-for-system76-open-firmware-june-2023|title=Major Updates for System76 Open Firmware!|date=June 2, 2023 }}

In 2016, the me_cleaner project found that the ME's integrity verification is broken. The ME is supposed to detect that it has been tampered with and, if this is the case, shut down the PC forcibly 30 minutes after system start.{{Cite web|url=https://github.com/corna/me_cleaner|title=corna/me_cleaner|date=September 10, 2020|via=GitHub}} This prevents a compromised system from running undetected, yet allows the owner to fix the issue by flashing a valid version of the ME firmware during the grace period. As the project found out, by making unauthorized changes to the ME firmware, it was possible to force it into an abnormal error state that prevented triggering the shutdown even if large parts of the firmware had been overwritten and thus made inoperable.

In August 2017, Positive Technologies (Dmitry Sklyarov) published a method to disable the ME via an undocumented built-in mode. As Intel has confirmed{{Cite web|url=https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/|title=Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA|website=BleepingComputer}} the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions,{{Cite web|url=https://www.theregister.com/2017/08/29/intel_management_engine_can_be_disabled/|title=Intel ME controller chip has secret kill switch|website=TheRegister.com}}{{Cite web|url=http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1|title=Disabling Intel ME 11 via undocumented mode|first=Author Positive|last=Research|archive-url=https://web.archive.org/web/20201201175708/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1|archive-date=December 1, 2020}} and was intended to be available only in machines produced for specific purchasers like the US government; however, most machines sold on the retail market can be made to activate the switch.{{Cite web|url=https://github.com/corna/me_cleaner|title=corna/me_cleaner|website=GitHub|date=March 19, 2022}} Manipulation of the HAP bit was quickly incorporated into the me_cleaner project.{{Cite web|url=https://github.com/corna/me_cleaner/commit/ced3b46ba2ccd74602b892f9594763ef34671652|title=Set the HAP bit (ME >= 11) or the AltMeDisable bit (ME < 11) · corna/me_cleaner@ced3b46|website=GitHub}}

{{Primary sources|date=May 2023}}

From late 2017 on, several laptop vendors announced their intentions to ship laptops with the Intel ME disabled or let the end-users disable it manually:

• Minifree Ltd has provided Libreboot pre-loaded laptops with Intel ME either not present or disabled since at least 2015.{{Cite web |title=Libreboot T400 laptop now FSF-certified to respect your freedom — Free Software Foundation — Working together for free software |url=https://www.fsf.org/news/libreboot-t400-laptop-now-fsf-certified-to-respect-your-freedom |access-date=2023-04-30 |website=www.fsf.org}}{{Cite web |last=Bärwaldt |first=Erik |title=Liberated » Linux Magazine |url=http://www.linux-magazine.com/Issues/2018/210/Free-Firmware-with-Libreboot |access-date=2023-04-30 |website=Linux Magazine |language=en-US}}{{Cite web |last=Biggs |first=John |date=2017-08-11 |title=The Minifree Libreboot T400 is free as in freedom |url=https://techcrunch.com/2017/08/11/the-minifree-libreboot-t400-is-free-as-in-freedom/ |access-date=2023-04-30 |website=TechCrunch |language=en-US}}
• Purism previously petitioned Intel to sell processors without the ME, or release its source code, calling it "a threat to users' digital rights".{{Cite web|url=https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-design/|title=Petition for Intel to Release an ME-Less CPU Design|date=June 16, 2016|archive-url=https://web.archive.org/web/20160616070449/https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-design/|archive-date=June 16, 2016}} In March 2017, Purism announced that it had neutralized the ME by erasing the majority of the ME code from the flash memory.{{Cite web|url=https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/|title=Neutralizing the Intel Management Engine on Librem Laptops|last=Alaoui|first=Youness|date=2017-03-09|website=puri.sm|language=en-US|access-date=2017-12-13}} It further announced in October 2017{{Cite web|url=https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/|title=Purism Librem Laptops Completely Disable Intel's Management Engine|date=October 19, 2017}} that new batches of their Librem line of laptops running PureOS will ship with the ME neutralized, and additionally disable most ME operation via the HAP bit. Updates for existing Librem laptops were also announced.
• In November, System76 announced their plan to disable the ME on their new and recent machines which ship with Pop!_OS via the HAP bit.{{Cite web|url=https://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan|title=System76 ME Firmware Updates Plan|website=System76 Blog|access-date=September 10, 2020|archive-date=August 15, 2020|archive-url=https://web.archive.org/web/20200815170940/https://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan|url-status=dead}}
• In December, Dell began showing certain laptops on its website that offered the "Systems Management" option "Intel vPro - ME Inoperable, Custom Order" for an additional fee. Dell has not announced or publicly explained the methods used. In response to press requests, Dell stated that those systems had been offered for quite a while, but not for the general public, and had found their way to the website only inadvertently.{{Cite web|url=https://www.extremetech.com/computing/260219-dell-sells-pcs-without-intel-management-engine-tradeoffs|title=Dell Sells PCs without Intel's Management Engine, but with Tradeoffs|website=ExtremeTech.com}} The laptops are available only by custom order and only to military, government and intelligence agencies.{{Cite web|url=https://www.heise.de/newsticker/meldung/Dell-schaltet-Intel-Management-Engine-in-Spezial-Notebooks-ab-3909860.html|title=Dell schaltet Intel Management Engine in Spezial-Notebooks ab|trans-title=Dell switches off Intel Management Engine in special notebooks|first=heise|last=online|website=heise online|date=December 6, 2017|lang=de }} They are specifically designed for covert operations, such as providing a very robust case and a "stealth" operating mode kill switch that disables display, LED lights, speaker, fan and any wireless technology.{{Cite web|url=https://www.dell.com/support/manuals/us/en/04/latitude-14-5414-laptop/5414_om/stealth-mode?guid=guid-3655713b-6a1b-46a8-ba69-eaa3c324b3cd&lang=en-us|title=Dell Latitude 14 Rugged — 5414 Series Owner's Manual|website=Dell.com}}
• In March 2018, Tuxedo Computers, a German company which specializes in PCs which run Linux kernel-based operating systems, announced an option in the BIOS of their system to disable ME.{{Cite web|title=TUXEDO deaktiviert Intels Management Engine - TUXEDO Computers|url=https://www.tuxedocomputers.com/de/Infos/News/TUXEDO-deaktiviert-Intels-Management-Engine|access-date=2021-02-07|website=www.tuxedocomputers.com}}

Neither of the two methods to disable the ME discovered so far turned out to be an effective countermeasure against the SA-00086 vulnerability. This is because the vulnerability is in an early-loaded ME module that is essential to boot the main CPU.{{Citation needed|date=September 2020}}

{{As of|2017|post=,}} Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.

Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor,{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option|title=AMD Reportedly Allows Disabling PSP Secure Processor With Latest AGESA - Phoronix|date=7 December 2017|website=Phoronix.com|access-date=2019-04-16}} a subsystem with a similar function as the ME.

• AMD Platform Security Processor
• ARM TrustZone
• Intel AMT versions
• Intel vPro
• Meltdown (security vulnerability)
• Microsoft Pluton
• Next-Generation Secure Computing Base
• Samsung Knox
• Spectre (security vulnerability)
• Trusted Computing
• Trusted Execution Technology
• Trusted Platform Module

{{Reflist}}

• [https://downloadcenter.intel.com/download/27150 Intel® Converged Security and Management Engine Version Detection Tool (Intel® CSMEVDT) (Intel-SA-00086 security vulnerability detection tool)] from Intel Download Center
• [https://i.blackhat.com/USA-19/Wednesday/us-19-Hasarfaty-Behind-The-Scenes-Of-Intel-Security-And-Manageability-Engine.pdf Behind the Scenes of Intel Security and Manageability Engine]{{dash}} A presentation by Intel security researchers presented in Black Hat USA 2019

{{Firmware and booting}}

Category:Computer security

Category:Remote administration software

Category:Firmware

Category:Intel

Category:BIOS

Category:Minix