Researchers Discover Disabling of Intel ME Backdoor Through NSA Hardware Requirement

Researchers from the cybersecurity company known as Positive Technologies have discovered a way to disable the embedded Management Engine (ME) controller chip of Intel processors. It is also known as a coprocessor. The ME chip allows for remote management of a computer and has long been considered a backdoor. In the past, the Electronic Frontier Foundation (EFF) has called the Management Engine a security hazard, and demanded that users be given the ability to disable it. The embedded ME chip is part of Intel’s Active Management Technology (AMT) and it runs independently of the computer’s main processor and its operating system. ME is embedded onto the Platform Controller Hub (PCH), which gives it access to all data being sent and received by the main processor and all devices. The ME chip has its own firmware and operating system. The code on the ME chip is not publicly available, which has led many to mistrust it and call it a backdoor.

The embedded ME chip can be found on every Intel x86 processor made after 2006. A major vulnerability with Intel’s AMT was discovered in May of this year, which was a remote code execution vulnerability found in millions of Intel chips. Prior attempts to disable the ME chip have failed, or were only partially successful. The me_cleaner project created software that allowed a user to erase most of the ME firmware, but this would only work for about a half of an hour, after which the ME chip would enter a recovery mode which would cause the computer to reboot. Because the firmware is compressed using the Huffman encoding technique, the researchers at Positive Technologies had to develop a piece of software called the Intel ME 11.x Firmware Images Unpacker, or, unME11. The software has been released to the public on github. It consists of two Python scripts which unpack firmware regions for the Intel ME 11 series.

The ability to disable the ME chip is made possible thanks to, of all things, an NSA program. The NSA established the High Assurance Platform (HAP) program to work with the tech industry to develop secure computing platforms. Since ME actually is a security risk, the NSA would want Intel to give them the ability to disable it. The NSA would want to minimize side-channel leaks. Intel confirmed this after the research from Positive Technologies was released.

“In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the U.S. government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration,” a spokesperson for Intel said.

The researchers were able to find a HAP mode thanks to a couple pieces of software that Intel creates for motherboard manufacturers. This software allows a few modifications to be made to ME. The two tools used are the Flash Image Tool (FIT) and the Flash Programming Tool (FPT). With these tools the researchers were able to obtain XML files that described the structure of the ME firmware and find special configuration bits for the PCH. One of these configurations was called “reserve_hap” that included the comment “High Assurance Platform (HAP) enable” which made the researchers curious.

The researchers then enabled the HAP enable configuration, and discovered that the ME chip was disabled. The ME chip would not respond to any commands with HAP mode enabled. Once HAP mode is enabled, a change is made to the Boot Guard policies. Positive Technologies will continue to investigate the Management Engine, and will try to uncover how exactly how HAP mode changes Boot Guard and other changes. They warn their hack is experimental and has not been fully tested and requires a Serial Peripheral Interface (SPI) programmer.