In 2007 the enterprise computing landscape changed. Without major fanfare, Intel introduced its new Management Engine. This innocuous-sounding bundle of hardware and firmware was intended to give enterprise IT managers greater control over the machines on their network. It succeeded.
Comprising a fully functional processor, memory, ROM and network interface, the IME, built inside the CPU chipset, became supreme overseer of the rest of the system. It controls everything. Long before an operating system even starts booting, the Management Engine is checking the network connection, validating code and ...
... actually, nobody outside of Intel really knows what else it does, at least not entirely. Its code is heavily encrypted and so far has not been fully disassembled. The reason for encryption is obvious: this is a potential vulnerability for all systems in which it’s present. If the encryption were ever broken, enterprise systems could be vulnerable to data theft, botnet conscription and remote access, with their users and managers none the wiser. It’s not beyond the realms of possibility that this has already happened.
What’s surprising is the length of time that this has been going on without much complaint. Analysts such as Joanna Rutkowska have been warning about the risks for years. Projects such as Libreboot have, with some success, disabled early versions of the Management Engine, though mostly on computers that are now too old to consider for serious business use. Yet enterprise customers have so far made little noise, happy that the convenience of remote PC management outweighs any possible security concerns.
It’s not as though there are any real alternatives. AMD stayed out of this area for some time, but since 2013 its CPUs have had a similar feature: the Platform Security Processor.
However, recently there have been more intense and concerted efforts to find out what these deeply-embedded controllers actually do, and to disable them if possible. The range of Librem laptops from Purism has the majority of the IME disabled, for example, and uses Coreboot. Security researchers around the world continue to work on tools to remove what’s left.
One reason for the increased pace of this work is that it’s unlikely the encryption will remain secure forever. Intel has already had one public Management Engine vulnerability exposed earlier this year. It is clear that this vulnerability was already known to the NSA.
This has concentrated minds, as it seems at least feasible that US security agencies may have methods of accessing management engines and using them to spy on users. Whatever you may feel about the pros and cons of privacy versus security, few enterprises are likely to be comfortable with the idea of being surreptitiously hacked by the government—especially if it’s not even their own government.
But whenever researchers make progress disassembling or circumventing the embedded code, new CPUs are released with new, more heavily encrypted and tightly embedded code, and the process has to begin again.
Recently it’s become apparent that Intel has the ability to modify IME code for customers who so demand. In August this year, Positive Technologies discovered a way to apparently disable the IME even further. When informed, Intel stated:
In response to requests from customers with specialised requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.
One can imagine that US government buyers, for example, might be able to demand that the IME is disabled. So there’s no reason why it has to be present.
Currently a polite contest is going on between the chip makers on one side, and on the other the researchers and open-source advocates who want to be able to use computers that don’t have secretive, designed-in backdoors.
This uneven conflict is becoming more public and may come to a head soon. For example, chip makers might try to take legal action against the people attempting to disassemble their encrypted code. Also possible, but less likely, is that a major customer might demand that the management code is removed for a particular product line. Even if neither of those things happens, the spotlight of publicity is getting brighter, increasing the possibility that at some point in the future alternative solutions will arise.
Perhaps a separate “budget” line of nonmanaged CPUs will become available from AMD or Intel. Perhaps a smaller chip maker might step into the niche, though that seems less likely given the upfront capital required for CPU development. But if the current situation persists, organisations will never again be able to buy desktop or laptop PCs that don’t have proprietary, encrypted controllers embedded inside them.
Picture an overworked enterprise IT manager, spending much of their time diligently securing a corporate network against intrusion and malware. A little black box inside every computer assists the IT manager greatly by simplifying remote management, yet remains outside their complete control. For many IT managers that little black box is a useful, perhaps invaluable tool for managing large numbers of enterprise workstations and servers. For others it’s a nagging potential vulnerability.
Intel and AMD don’t usually discuss these matters, except to justifiably point out the valid benefits of management features to enterprise customers. Both companies were approached for comment but did not respond.
This story, "Will open hardware race curb worrying chip vulnerability?" was originally published by IDG Connect.