35

I recently read about the Intel ME (Management Engine), which is a special area in new Intel processors that has complete control over the computer. Nobody knows exactly what it contains, and there are many security concerns about it. I learned about it here:
https://stallman.org/intel.html

What can I do about this? Are there any ways to stop this, or is it hopeless?

888
  • 451
  • 1
  • 4
  • 3
  • poss dupe http://security.stackexchange.com/questions/128619/what-are-the-privacy-and-security-risks-associated-with-intels-management – dave_thompson_085 Nov 18 '16 at 13:02
  • 3
    I don't think this is a dupe. The one you linked to wants to know the risks associated with iME, while this question wants to know what can be done to mitigate those risks. It's essentially a "what" vs "how" situation, and the two fundamentally expect different answers. – Miles B Huff Dec 01 '18 at 05:49

5 Answers5

11

Don't use the onboard NIC, which is how ME accesses the Internet. Instead, use a USB LAN device, or even one plugged into a PCI slot -- ME doesn't know how to use them!

Miles B Huff
  • 150
  • 1
  • 13
burrito
  • 129
  • 2
  • 14
    Can you cite a source? – Jedi Nov 18 '16 at 10:42
  • 1
    I don't know why this is downvoted, it is true. AMT remote access runs over the onboard NIC. I don't know if there are some special configurations in which you can use PCI cards, but in general a PCI card will not be used by the ME. I've only found a link for vPRO in a quick search, but the situation should be exactly the same: https://serverfault.com/questions/289150/does-intel-vpro-work-via-add-on-nics – jdm May 09 '17 at 14:05
  • 3
    IIRC, some AMT-capable laptops support PCI/PCIe for remote management. The ME has the drivers for those devices, whereas many servers only support the integrated GbE from Intel. – forgetful Oct 19 '17 at 12:05
  • 1
    I'd reckon there's a pretty good chance that ME has the right drivers to use Intel NICs, so if PCI/M.2 slots are a viable option, you'll need to make sure to buy a different brand. – Miles B Huff Dec 18 '18 at 17:51
9

You can use me_cleaner to wipe all but the most essential portions of the ME. This isn't without risks, of course.

The NSA had Intel install a killswitch for it; you might be able to get your OEM to enable this for you with a special BIOS update (or you might be able to edit your firmware yourself). Some OEMs (Purism, System76, and Dell) have started offering this as an option with certain computers, in the wake of the 2017 vulnerability.

Miles B Huff
  • 150
  • 1
  • 13
6

You can try disabling the AMT feature in your BIOS.

  1. Go to "Advanced Chipset Features" and then "Intel AMT" (the exact wording may be different for you), and set it to "Disabled". Save and exit your BIOS.

  2. Then, when your computer turns back on, press Ctrl+P to enter the AMT Menu, and set "Intel ME Control State" to "Disabled".

However, no-one outside of Intel knows for sure what these toggles do, and whether AMT can re-enable itself without you knowing is another question altogether (There are plenty of rumors going around about this, but I'm staying neutral until we know for sure. At the very least, you'll be (mostly) safe as long as you're disconnected from the Internet.).

Another option is to just use pre-AMT hardware.

Quoth Intel:

Built into many Intel® Chipset-based platforms is a small, low-power computer subsystem called the Intel® Management Engine (Intel® ME). This performs various tasks while the system is in sleep, during the boot process, and when your system is running. It is important that this subsystem is functioning correctly to get the most performance and capability from your PC. This utility checks that the Intel® ME subsystem is running and communicating properly up to the operating system. This can give the system builder and user a good sense that in case of any system boot or performance issue, the Intel® ME is not the trouble spot.

Miles B Huff
  • 150
  • 1
  • 13
Lester T.
  • 1,263
  • 1
  • 9
  • 21
6

Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of the Intel Management Engine firmware. While Intel ME still runs, the Windows drivers are disabled and Intel ME can no longer access Windows.

1) Download the Intel Setup and Configuration Software (Intel SCS) and extract.

2) Open up an administrator command prompt and navigate to where you extracted the files in step 1

  • run cd Configurator

3) In the command prompt, run ACUConfig.exe UnConfigure. If you get an error, try one of the options below:

  • Unconfiguring a system in ACM without RCS integration: ACUConfig.exe UnConfigure /AdminPassword <password> /Full

  • Unconfiguring a system with RCS integration: ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full

4) Still in the command prompt, disable and/or remove LMS (Intel Management and Security Application Local Management Service):

  • sc config LMS start=disabled
  • sc delete LMS
  • also run sc qc LMS, which will either show you the path to LMS.exe or FAIL. If it shows you the path, use Explorer to delete it. If it FAILED, do not be concerned.

5) Reboot

6) Check if there is still a socket listening on the Intel ME Internet Assigned Names Authority (IANA) ports on the client: 16992, 16993, 16994, 16995, 623, and 664 (you can also do this before you start to verify it is listening. The Intel ME listens even if the Intel AMT GUI shows Intel ME is "Unconfigured")

  • in a command prompt (does not need to be elevated), run netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"

7) The Intel AMT GUI should now show "information unavailable on both remaining tabs" (you might have had 3 or more tabs before going thru the steps above)

enter image description hereenter image description here

Voilá, you have gotten rid of Intel AMT. And you've done the right thing, especially after the 2017-05-01 privilege escalation issue.

From this source (disclaimer, it's my own blog)

Gaia
  • 740
  • 1
  • 6
  • 13
  • 4
    Little nitpick: this does help against the latest vulnerability by disabling AMT, but it doesn't disable the Management Engine, which continues to run happily with full access to your CPU and memory. If there is a backdoor in there, this won't help. – jdm May 09 '17 at 14:08
  • @jdm yes, updated the last line in the answer to read Intel AMT instead of Intel ME. "While Intel ME still runs, the Windows drivers are disabled and Intel ME can no longer access Windows." remains at the top. And we can't fix vulnerabilities we are not aware of yet... – Gaia May 09 '17 at 17:18
  • 6
    @Gaia Unrestricted DMA access implies access to windows. – CodesInChaos May 09 '17 at 17:20
  • 4
    @jdm the issue is that there's nothing you can do to completely disable the ME. If Intel was malicious you shouldn't even trust a disabled ME as the CPU itself can be malicious. – André Borie May 09 '17 at 17:26
4

According to LibreBoot's FAQ, Intel CPUs aren't the only chips with this "feature" -- AMD has something just like it. Anyone who wants to be extra secure will simply not use modern CPUs. None of the CPUs listed on LibreBoot's website come with Intel ME.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
gmlox
  • 117
  • 5