15

After reading about Intel ME containing secret backdoors, I would like to know if it is possible to disable Intel ME?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Marina Ala
  • 491
  • 2
  • 4
  • 8
  • 3
    Your question is answered in the document you are quoting: *"the ME is on a separate CPU and cannot be disabled"* (document which also forgot to mention that, depending on the concerned device, it may be reachable through 3G/4G even when the operating system is down). You may find more information in these related questions: [How to minimize the risk posed by Intel AMT/ME's “ring -3 exploits”?](https://security.stackexchange.com/q/128619/32746), [What can I do about the Intel Management Engine?](https://security.stackexchange.com/q/142947/32746) – WhiteWinterWolf Mar 23 '17 at 20:55
  • 1
    Please do not post pictures of text as a question. It would also be helpful to provide a link to the source. Thirdly, the picture has *nothing* to do with your question. – schroeder Mar 25 '17 at 07:40
  • Here's the most comprehensive guide I've found on [how to remove Intel ME](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine). – Dan Dascalescu Feb 12 '19 at 11:47

2 Answers2

6

First of all, it sounds like this person is not telling the truth. He should have mentioned something which only a person who works at Intel would know, or at least something which people who understand the architecture deeply would know, rather than only things which are public knowledge. He could have at least mentioned something like ME v11 switching to TinyIA from ARCCompact and getting rid of the JEFF module format (an old abandoned Java standard), supposedly. Secondly, some of what he said was factually incorrect:

  • In order to have full access to memory, it needs an x86 component in the BIOS to permit it, contrary to popular belief that the ME is a god, so he is wrong in saying that it always has access to system memory (though most configurations do allow it to do this).

  • It can be disabled, and there are many ways to do so, both public, and non-public. His claim that it is impossible to disable is incorrect. I'll explain how later in this post.

  • He mentioned that the supposed backdoors have similar functionality to the CIA's WEEPING ANGEL, allowing the ME to listen even if the computer is off or sleeping. This is not possible on the majority of systems due to hardware constraints. Only high-end servers with vPro support are able to keep the ME on while the system appears off. All other systems keep the ME powered off unless the system is itself powered on.

  • A glaring mistake he makes is that it does not have "full access to the TCP/IP stack". I imagine he is trying to repeat the well-known fact that it has its own TCP/IP stack, which is true. The ME does not integrate with the OS' network stack in any way.

  • The ME does not have access to every peripheral connected to the computer. At a minimum, it can read all PS/2 keystrokes, video memory, and NIC communications. If it is given access to full memory, it can do more, of course. But due to physical limitations of the x86 architecture, it cannot have access to all peripherals.

Already in his short post, he has shown he does not know the basics of the Manageability Engine. As someone who knows multiple Intel employees, some of which who have worked directly with the ME, I do not believe that this person works for Intel.

To answer your main question, on some older computers, you can disable it by installing Libreboot, which does not come with the ME. The only computers it is compatible with are those which do not refuse to boot or are otherwise stable when the ME is not running. On some SandyBridge/IvyBridge computers, you can cripple the ME by overwriting the first page (4096 bytes), as shown here. Other methods which may be possible in the near future which require a combination of hardware and software modifications likely simply involve jumpers, according to some folks experimenting with disabling the ME in #libreboot on Freenode.

Not to mention, if this person was even telling the truth, the number of EEs working at Intel for more than 15 years, who moved to a new department 3 years ago and got a security clearance at that time is likely a small handful, if not a single person. Anyone with clearance knows how incredibly dangerous it is to leak information, so he would not be giving out information this way... on 4chan of all places.

guest
  • 61
  • 2
  • You're saying that on new, high-end machines with vpro, the ME is non-disable-able and can access the microphone while off? – amwinter Mar 30 '17 at 15:06
  • ME integrates with the OS TCP/IP stack via Intel AMT, which can be disabled by following these instructions: https://mattermedia.com/blog/disabling-intel-amt/ – Gaia May 03 '17 at 20:37
4

In some chipsets you can disable Intel ME by following these instructions (at your own risk).

Newer chipsets (Haswell on) have Intel Boot Guard set in Verified Boot, which renders the solution above unusable.

Not exactly your case, but to prevent Intel ME from talking to Windows you can disable Intel AMT. It is my understanding that if your machine only connects via WiFi this renders Intel ME useless, as it needs to have an ethernet connection or access WiFi via Windows.

Gaia
  • 740
  • 1
  • 6
  • 13