Intel has come under fire recently for bundling hidden firmware on some chips. While Intel Management Engine provides some hardware-based security and power management features, it’s also a completely closed-source bit of code that comes bundled with most recent Intel processors, and which cannot be easily disabled by users who may decide they don’t need it.
Independent security researchers have noted that Intel Management Engine could provide a backdoor for government spying… and that security flaws could leave computers vulnerable to malware.
Now Intel has confirmed the risk: after performing an audit, the company has revealed that it found vulnerabilities affecting multiple processors released in the last few years.
The vulnerability could allow an unauthorized user to run code delivered via USB.
Affected systems include those running Intel Management Engine 11.0 through 11.7, Intel Server Platform Services version 4.0, and Intel Trusted Execution Engine 3.0.
That includes 6th-gen, 7th-gen, and 8th-gen Intel Core processors as well as a bunch of other chips including:
- Intel Celeron N and J series chips
- Intel Pentium Apollo Lake
- Intel Atom E3900 Apollo Lake
- Intel Atom C3000
- Intel Xeon W
- Intel Xeon E3-1200 v5 and v6
- Intel Xeon Scalable family
Intel has released a tool that you can download and run on Windows or Linux PCs to see if your computer is affected. But you can’t download a fix for the security vulnerability from Intel: it’s up to PC makers to roll out updates. Some companies shave already started to do that, but the outcome will probably vary from PC maker to PC maker.
This is pretty much exactly what critics of the Intel Management Platform had been worried about. Since the software is hidden from end users, many people may not even know it’s running on their computer. And it’s proven difficult for security researchers to examine the code to search for vulnerabilities, which means that it’s largely up to Intel to make sure that this software doesn’t pose a huge security risk unbeknownst to most users.
No wonder companies including Purism and Google have been looking for ways to disable Intel ME (which, ironically, involves finding and exploiting flaws in the software, since it’s not meant to be disabled).
Update: More PC makers are starting to weigh in. HP released a statement saying that “has worked with Intel to provide fixes for impacted systems.”