Intel has come under fire recently for bundling hidden firmware on some chips. While Intel Management Engine provides some hardware-based security and power management features, it’s also a completely closed-source bit of code that comes bundled with most recent Intel processors, and which cannot be easily disabled by users who may decide they don’t need it.
Independent security researchers have noted that Intel Management Engine could provide a backdoor for government spying… and that security flaws could leave computers vulnerable to malware.
Now Intel has confirmed the risk: after performing an audit, the company has revealed that it found vulnerabilities affecting multiple processors released in the last few years.
The vulnerability could allow an unauthorized user to run code delivered via USB.
Affected systems include those running Intel Management Engine 11.0 through 11.7, Intel Server Platform Services version 4.0, and Intel Trusted Execution Engine 3.0.
That includes 6th-gen, 7th-gen, and 8th-gen Intel Core processors as well as a bunch of other chips including:
- Intel Celeron N and J series chips
- Intel Pentium Apollo Lake
- Intel Atom E3900 Apollo Lake
- Intel Atom C3000
- Intel Xeon W
- Intel Xeon E3-1200 v5 and v6
- Intel Xeon Scalable family
Intel has released a tool that you can download and run on Windows or Linux PCs to see if your computer is affected. But you can’t download a fix for the security vulnerability from Intel: it’s up to PC makers to roll out updates. Some companies shave already started to do that, but the outcome will probably vary from PC maker to PC maker.
This is pretty much exactly what critics of the Intel Management Platform had been worried about. Since the software is hidden from end users, many people may not even know it’s running on their computer. And it’s proven difficult for security researchers to examine the code to search for vulnerabilities, which means that it’s largely up to Intel to make sure that this software doesn’t pose a huge security risk unbeknownst to most users.
No wonder companies including Purism and Google have been looking for ways to disable Intel ME (which, ironically, involves finding and exploiting flaws in the software, since it’s not meant to be disabled).
Update: More PC makers are starting to weigh in. HP released a statement saying that “has worked with Intel to provide fixes for impacted systems.”
via Tom’s Hardware and ZDNet
Shame on Intel for not deactivating by default or omitting all such things!
They would like you to upgrade from your 4th-gen system to their new 8th-gen products.
So here’s more incentive from them XD
My PC runs perfectly well on a first-generation Core:) To upgrade, they need to convince me with secure firmware. The problem, however, is mobile devices. “Luckily”, Windows / Intel mobile devices have failed to meet my needs (4:3 matte display) anyway so I could avoid the firmware-malware. Nevertheless, it would be terrible if finally a suitable mobile device should appear with still flawed firmware of CPU / chipset. Windows / Qualcomm is also not ready for primetime yet… (only 32b and apparently somewhat slow).
You know, in your computer there are a bunch of other small computers. Each with their respective amount of few bytes of RAM and tiny CPUs. There are even full fledged computers in your microSD card, responsible for finding and reallocating failing flash blocks. And each run their own code, hidden from the main OS and you. This is not the end of it. It’s only the beginning.
It’s somewhat ironic that Lenovo are among the first to fix this; due to their previous abuses of the ‘Windows Platform Binary Table (WPBT)’ to force (re)installation of their own ‘management tools’ onto end user’s OS….
Pretty much all electronics these days contain secrets and spies on users. Things could be hidden for years, and/or remotely triggered 🙁
“But you can’t download a fix for the security vulnerability from Intel: it’s up to PC makers to roll out updates.” I built my own computer. No wonder every time I called support I got a busy signal.
Fortunately, I have a fancy 5th generation that doesn’t appear to be affected. Still want that garbage secret code to see sunlight so it can get a proper audit.
I thought I read something at Tomshardware that Intel and others are going to slowly phase out support for the older CPUs–something about the CPUs or mainboards not supporting new security “features.” (It’s not a cost item, it’s a value-added feature.)
Wow, never saw that coming.
Purism and Google should ask Russia, China or the DPRK how to hack into iME. I’m sure they’ve figured out a way to do it. It wouldn’t surprise me if the NSA has the source code or APIs.
Comments are closed.