Can a self-build router minimize the potential risk of intels management engine (ME)?

Question

I read some stuff about intels ME and got interested because of its huge potential security threat to basically (more or less) every intel system since 2008. And I came across the great work of @igor-skochinsky who did a pretty good presentation about the things he discovered.

There is no possibility to disable the ME in a trustworthy way nor can one just replace it with a custom image. There are attempts to delete as much of it as possible without running into countermeasures (https://github.com/corna/me_cleaner). So solving this problem on a machine itself is kind of difficult, but what if it dealt with outside the machine?

Since I think about building my own secure router (maybe using some BSD like NetBSD, OpenBSD, etc.) as entry point to my local network, I started to wonder if I could protect every potentially threatened intel machine in my local network with a home-made router that contains no hardware from intel or maybe even AMD(they using something called PSP) ?

Futher I was wondering wheather it would improve the security of the router concerning intels ME when using a NIC via PCI in the router because its said to the interface of ME it is only available over the primary NIC? That would be the NIC of the motherboard, right?

And finally would it be sufficient when the router have some kind of a whitelist of the MAC and IP addresses which are explicitly allowed, since its said to that the ME has its own MAC and IP address? I mean I could just add the adresses of every device of the local network to the whitlist and then every attempt for communication to or form the ME would not longer be possible?

So the idea is basically some kind of desktop computer which is hardened as much as possbile but without going nuts.Every idea or tip how to fullfill that goal is appreciated.

My first question, I hope it is ok.

Answer 1

Recent research prove that there is trustworthy way to disable ME and it was published recently by Positive Technologies here. There is also me_cleaner added implementation for HAP PCH strap.

In case your home made router and potential threat from AMD PSP. IMO it would be very hard to implement that. Please note that if chips has access to network interface it can use secure connection initiated from inside your network, so how you would differentiate between your secure outbound traffics versus malicious one ?

In case of using built in vs external NIC. There is no difference, if you use potentialy untrusted hardware or firmware for your router, but assuming you will go with trusted hardware and firmware you have to make sure there is no ROM or any internal chip built-in external NIC and other components that can interact with NIC behind the scene.

Answer 2

If you're not using ME/AMT turn it off.

If your ME/AMT isn't network provisioned (in its BIOS); and you don't have the software / drivers installed to enable it your should be safe anyway.

If you're relying on a network-edge device such as your router to differentiate legitimate management traffic from malicious (ie. an IDS/IPS role).. then you'd best hope that it understands the traffic signature of the AMT/ME attacks.

Answer 3

---

I have the feeling that your question concerns both Intel ME and Intel AMT, so first of all, I think we should make a distinction between Intel ME and Intel AMT:

• Intel ME: is an autonomous subsystem running on a separate microprocessor, it is incorporated in virtually all of Intel's processor chipsets since 2008. It performs tasks during boot-up, while the computer is running, and while it is asleep.

• Intel AMT: is a special technology for remote out-of-band management of computers, and it runs inside the Intel ME. Typically, Intel AMT is only present on Business-grade PCs, for example, many Lenovo Thinkpad laptops have it.

While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME. There are a few unofficial ways, but they often involve a hardware SPI flasher (see ME_Cleaner and Libreboot).

[Also let's keep in mind that the inner workings of these technologies are closed-source and obfuscated, so it is difficult to draw exact lines on what they can or cannot do.]

---

With this in mind I would provide the following answer:

• Regarding the router, I use a small single-board PC with an ARM CPU running OpenWRT, and I set it to drop all incoming/outgoing traffic on the ports that Intel ME/AMT is known to use. (although being Intel ME/AMT closed source, it's difficult to say if this is enough).

• Regarding the NIC on the PC, ".. The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers .." Therefore, using an unsupported network adapter on your Intel PC (instead of using the integrated one) should cut the Intel ME/AMT from accessing the network. a USB network adapter would be a sure way to accomplish this, thanks to the limitations/simplicity of the USB standard.

• Regarding your last question, using the router to whitelist only the MACs of your PCs, it's an interesting idea, I hope that someone with more insight will answer that.

---

references:

https://communities.intel.com/thread/106584

https://forums.lenovo.com/t5/Enterprise-Client-Management/Unable-to-connect-to-Intel-vPro-AMT-X1-Carbon-attached-to-USB/td-p/3832026