Now you, too, can disable Intel ME ‘backdoor’ thanks to the NSA

A team of researchers from Positive Technologies discovered an undocumented configuration setting, designed for use by government agencies, to disable Intel Management Engine 11. Now you too can partake in this government privilege to inactivate Intel’s proprietary CPU master controller.

Intel ME background

Since 2008, Intel’s chipsets have contained a separate always-on Management Engine computer that could not be disabled. The EFF described Intel ME as a “largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard and network.”

Back in June 2016, hardware hacker Damien Zammit warned, “Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks.”

Despite many people with x86 computers trying, no one could disable ME. The closest successful attempt was likely the me-cleaner project.

The purpose of ME, according to Intel, is to allow businesses to remotely manage computers via Active Management Technology (AMT). Yet plenty of experts have called ME a very powerful backdoor, an idea that picked up steam after a critical vulnerability was revealed in May.

Intel refuted those backdoor accusations, saying, “Intel does not put backdoors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts to decrease security in technology.”

Disable Intel ME thanks to the NSA

Here comes the good news. As Positive Technologies researchers Mark Ermolov and Maxim Goryachy poked into the firmware, they discovered an undocumented HAP field. HAP, which stands for the High Assurance Platform (pdf) program, was developed by the NSA. The framework was for the “development of the ‘next generation’ of secure computing platforms.”

The researchers discovered an undocumented field called “reserve-hap” and that HAP could be set to “1” for true. Apparently, the NSA wanted to ensure the agency could close off any possible security risk by disabling Intel ME. The researchers wrote, “We believe that this mechanism is designed to meet a typical requirement of government agencies, which want to reduce the possibility of side-channel leaks.”

When told about the research, Intel told Positive Technologies:

In response to requests from customers with specialized requirements, we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the U.S. government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.

If you want to disable Intel ME, you should first read the in-depth technical explanation about the researchers finding “an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage.” Positive Technologies also made its Intel ME 11.x firmware image unpacker utility available on GitHub. Use at your own risk; the methods to disable Intel ME were described as “risky and may damage or destroy your computer.”