Practical privacy and simple cybersecurity.
TheNewOil.org

The (Not So) Scary Truth Behind Intel ME

If you dig a little deeper into privacy – beyond the basics like encrypted communications, password managers, 2FA, and Linux – you'll start to hear scary stories about the Intel Management Engine – or ME. To hear the internet tell it, ME is this scary backdoor built into all Intel processors (such as the i7) that will render all your hard work at being secure pointless, allowing expert hackers and cybercriminals to compromise your device at the most basic, privileged level – basically giving the attacker full control of the device the moment it boots before the operating system even loads – making everything else wide open and exposed to them. Every password entered, file opened, and packet sent is theirs to see.

Or so the urban legend goes.

What is ME?

Let's start – as always – at the beginning: what really is Intel ME? Here's the facts: Intel ME is an “autonomous subsystem” built into virtually every single Intel processor since 2008. We know that it operates pretty much any time your computer is powered on – when booting up, sleeping, or during regular usage – and it has full access to your system including memory, display contents, keyboard input, and even the network.

Truthfully, that's about all we know at this time. The code is proprietary and heavily guarded, Intel hasn't really given us a lot of information themselves, and their documentation is pretty vague. Intel claims that ME is used for “anti-theft protection” and “low power, out of band management services.” Again, vague.

What's the Concern?

The main concern from ME arises from the fact that there is no official – or even safe – way to disable it. While there are few accusations that ME transmits any sort of data or telemetry (certainly none of them credible, to my knowledge) there is universal agreement that ME presents, at very least, a security risk. Researchers began finding exploits and vulnerabilities as far back as 2017, so we know they exist. Between the fact that the code is so heavily guarded (this is known as “security through obscurity” and is widely regarded to be a bad idea), the fact that proven vulnerabilities exist, and the fact that the program does not – from what we can tell – appear to be truly vital to system functions, a number of experts have argued that users should have the freedom to disable it if they choose. At this time, nothing can officially be done to disable it, not even flashing new firmware or operating systems. It's still, there chugging along at “ring 3.” There is nothing the user can do to mitigate the risks.

Is it a Backdoor?

From what I can tell, this appears to be pure sensationalism and – at times – putting words in people's mouths. The Wikipedia page for Intel ME says that both the Electronic Frontier Foundation and security expert Damien Zammit have accused ME of being a backdoor, yet if you the read articles cited you'll find that the word “backdoor” doesn't appear at all in the EFF article and appears only once in Zammit's piece where they note that since the code is not public researchers cannot search for possible backdoors (intentional or otherwise). Neither of them makes this accusation, directly or indirectly.

That's not to say that the idea is impossible, of course. As I said, nobody really knows the full extent of ME does, and Zammit does point out that because of the escalated privileges and network access it has, ME could easily send or receive traffic outside any sort of device-level firewall. But it does mean that at this time we have to remember that nobody credible (again, to my knowledge) has directly made that accusation nor has proof been presented. We know that ME is vulnerable, but that doesn't automatically mean malicious intent or intentionally (or actively-used) backdoors.

And while we're on that topic, let's talk about those vulnerabilities. There's quite a number of them, too many to list in a short blog post like this, but the main question we want to ask is “how likely am I to be attacked with such a vulnerability?” To put it simply, most of them are extremely unlikely to attack an average person. Most of them require AMT, SOL, or similar features to be enabled, all of which are not enabled by default and are typically only set up on company devices so the IT guy can remotely manage them. In fact, in some cases you open yourself up to risk by forcibly disabling ME.

Look, I want to remind my readers that I'm not a classically trained expert with a long background in cybersecurity or IT, but I spent several hours searching as hard as I could, and as far as I can tell nobody has ever compromised the stock, enabled-by-default ME in the wild. In other words: all the vulnerabilities found were either researchers who got it fixed, or it impacted the extra features that have to be intentionally enabled. While the stock ME does present risks, I've never found a case where it impacted an everyday user, and even the vulnerabilities the researchers found were typically very complex and relied on things like having physical access to the device at some point to at least start the process.

Should I be Worried?

In my opinion, no more than usual. There are some options for some users. Some computers offer you the ability to go into your BIOS and ensure that things like AMT are disabled and keep your firmware up to date. Intel themselves has released a tool that can help you check if your chips are impacted and if there's updates available to help keep them secure and safe. One option that sometimes gets floated is to use AMD instead. While I have nothing against AMD, please be aware that AMD also has the Platform Security Processor (or PSP) which is basically just their version of ME, complete with vulnerabilities and all. From what I can tell, there's no significant advantage to the user either way. Your best defense is simply to ensure that the relevant features are disabled and keep everything updated. You could try to buy from a company like Purism or System76 – both of whom at one time advertised disabling ME, but these days they simply disable what they can while leaving the core functionalities intact to avoid severe breakage. Finally – and I cannot stress this enough – do not use scripts or third-party programs that promise to disable or remove ME for you. At best, you may end up accidentally exposing yourself to vulnerabilities that previously didn't affect you, and at worse you may end up “bricking” your entire device (aka causing it to crash so it won't boot up and you lose all your data). Unfortunately ME and PSP seem like one of those things that – for the average user, without taking extreme measures – are hard to fully escape. If you wish to take those extreme measures, I can't be of any help to you. But for the rest of us, use whatever official tools at your disposal to disable what you don't need, and keep the rest updated.

I hope this post has been enlightening and helpful to any readers who may have stumbled across this ME subject and find themselves at a total loss. I'd like to give a final word to any advanced readers before I go: as I mentioned, I'm not an expert and never claimed to be. I've written this article in good faith and did the best research I know how to, but I also recognize that I'm human and make mistakes. If there are any factual inaccuracies here – besides dumbing things down to make them accessible to a novice audience – please contact me with sources so I can correct it. Thanks.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...