Anyone disabled the Intel ME yet?

360 views
Skip to first unread message

alexc...@gmail.com

unread,
Sep 18, 2017, 4:33:31 PM9/18/17
to qubes-users
Has anyone here successfully disabled the Intel ME yet?

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

I'm hoping a future release of Qubes integrates this into the install process for us. Or be downloadable as a package like Anti-Evil Maid?

Thoughts?

Alex

unread,
Sep 18, 2017, 4:43:18 PM9/18/17
to qubes...@googlegroups.com
This is an extremely risky and highly ad-hoc procedure that cannot be
easily automated. As you can understand from the article, newer ME
versions manage the boot process so some level of functionality is
required just to have a working computer.

Being an opaque component, different versions have highly variable level
of built-in functionality and architecture position, so while some ME
versions on some chipsets could just be zapped away, others have to be
patched, reflashed, bypassed or replaced to be disarmed.

Hence, the operations to "disarm" ME still resemble more surgery than
patching; our only hopes are that Intel will give a simple way of
disabling the unneeded "services" (i.e. network services?) with
something reasonable like a hardware jumper of some sort. They will be
able to give the HAP guarantees to their customers without impairing
security for everybody else...

--
Alex

signature.asc

alexc...@gmail.com

unread,
Sep 18, 2017, 5:15:09 PM9/18/17
to qubes-users
I see, thank you for the explanation. I had no idea ME versions were that fragmented.

Rusty Bird

unread,
Sep 18, 2017, 6:01:33 PM9/18/17
to alexc...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

alexc...@gmail.com:
https://github.com/corna/me_cleaner

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZwEIxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNg8P/R29hIUOrlolKVQXjgQ27MX0
oWClVtfGX7+geO+mU3WYY0UQYeOCWyRJIxOrbsySrKf0WcqN2H0NwpxcJrHXYI8Z
mm1CVcC8VZcR7hMARHLWz61EFfBbSUL+azP1elPZQ/yuB1If3NpyR9PSM8Nrhs0v
Mdh9N2HdhYfxV6YNPhcUo1bVsaP9Z3X8/8T/whybN6KaMiF4y573wXqXwSc/lNsN
P5bpBH1GcAZI2BfH29dt1TU+t94pELekdAtZKDFW4riSLhhWW9nfDPThupqJ2kps
MXhFJxREXsUPpXOf6vc+JI667+8s1Cb4jfXovKPGgIG/4dh3qFIIyc9p/0q6pLca
UBN7V2GBkkpdpyRX/QhHHcbw+Ri2SKul/2LRMVZ7d/nqwRfHchxGmYKFIjFjYVdx
1bfVc8wgnX1WZGOg0EvEgx0vG8H0+DU+Yw5Wyuv4jO4UfILJ/FTBxa1KyMWv6xvS
lf9tjL28k+HBiwzDs5MCdV9rUJ9W0q/zySntZItI/7wd8UPC0YadzqwxF74xh/d4
SLy9rL/1aMwhpvd+rCFipn1B3wIlY/y/VPq3FpLsPrAjoesbZ1BeUmQ9wdvumTn3
sSwcUfUnt1N6mWWtPYtSPYQyD1A4r9I2RFEuq8YuLEyG3BveC9RanApNE5CboBFA
JKyVN0I7q5dmd0bk4IEm
=UlBw
-----END PGP SIGNATURE-----

Alex

unread,
Sep 21, 2017, 2:23:01 AM9/21/17
to qubes...@googlegroups.com
Replying to this thread to report that somebody DID ACTUALLY find an
exploitable vulnerability in the latest IME 11+, and they will be
sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
europe 2017.

Abstract here:
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Title is pretty scary, but we'll see if it's actually that dangerous...

--
Alex

signature.asc

Hugo Costa

unread,
Sep 21, 2017, 12:08:41 PM9/21/17
to qubes-users

Was going to post the same. 2 Russian researchers that a couple weeks ago found out a way to clean some modules on Intel ME now have found a significative exploit that allows them to actually run code on a piece of hardware with direct access to the network. The scary thing is - it's impossible to detect.

cooloutac

unread,
Sep 24, 2017, 8:24:44 PM9/24/17
to qubes-users

and thats prolly just what we know about lol.

cooloutac

unread,
Sep 24, 2017, 8:27:18 PM9/24/17
to qubes-users

I feel like cause I live in nyc that you just expect this type of stuff from your friends and neighbors hahaha. maybe not the same means but the same ends. but ya hardware level stuff is scary, cause that means real security means alot of money, so poor people are screwed.

filtration

unread,
Sep 24, 2017, 9:23:23 PM9/24/17
to qubes...@googlegroups.com
cooloutac:
> On Sunday, September 24, 2017 at 8:24:44 PM UTC-4, cooloutac wrote:
>> On Thursday, September 21, 2017 at 12:08:41 PM UTC-4, Hugo Costa wrote:
>>> On Thursday, 21 September 2017 07:23:01 UTC+1, Alex wrote:
>>>> Replying to this thread to report that somebody DID ACTUALLY find an
>>>> exploitable vulnerability in the latest IME 11+, and they will be
>>>> sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
>>>> europe 2017.
>>>>
>>>> Abstract here:
>>>> https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
>>>>
>>>> Title is pretty scary, but we'll see if it's actually that dangerous....
>>>>
>>>> --
>>>> Alex
>>>
>>> Was going to post the same. 2 Russian researchers that a couple weeks ago found out a way to clean some modules on Intel ME now have found a significative exploit that allows them to actually run code on a piece of hardware with direct access to the network. The scary thing is - it's impossible to detect.
>>
>> and thats prolly just what we know about lol.
>
> I feel like cause I live in nyc that you just expect this type of stuff from your friends and neighbors hahaha. maybe not the same means but the same ends. but ya hardware level stuff is scary, cause that means real security means alot of money, so poor people are screwed.
>

My motherboard has a "Disable ME" jumper. Not good enough for many of
you, I know.

As far as AMT, apparently the entry is through Intel NICs. I hoped to
mitigate it by using a third party NIC. The Intel device stayed lit
(amber, not green) on power off, my new one is completely off when
powered off.

rysiek

unread,
Sep 25, 2017, 2:46:12 AM9/25/17
to qubes...@googlegroups.com
Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
> My motherboard has a "Disable ME" jumper. Not good enough for many of
> you, I know.
>
> As far as AMT, apparently the entry is through Intel NICs. I hoped to
> mitigate it by using a third party NIC. The Intel device stayed lit
> (amber, not green) on power off, my new one is completely off when
> powered off.

These are not really good options for laptops. :(

--
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
signature.asc

Alex

unread,
Sep 25, 2017, 3:01:12 AM9/25/17
to qubes...@googlegroups.com
On 09/25/2017 08:45 AM, rysiek wrote:
> Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
>> My motherboard has a "Disable ME" jumper. Not good enough for many
>> of you, I know.
>>
>> As far as AMT, apparently the entry is through Intel NICs. I hoped
>> to mitigate it by using a third party NIC. The Intel device stayed
>> lit (amber, not green) on power off, my new one is completely off
>> when powered off.
>
> These are not really good options for laptops. :(
>
They may even be worse - I used to have a tablet with a "Intel ME
Disable" option in the bios, and tried to flip that setting.

The tablet would not start anymore, and had to buy a clip to reflash the
bios eeprom to be able to recover it.

--
Alex

signature.asc

Sean Hunter

unread,
Sep 25, 2017, 3:33:49 AM9/25/17
to rysiek, qubes...@googlegroups.com



> On 25 Sep 2017, at 07:45, rysiek <rys...@hackerspace.pl> wrote:
>
> These are not really good options for laptops. :(

I am running Qubes 4.0 rc 1 on a librem purism 15v3. I believe (may be wrong) that it comes with ME disabled. Seems a great laptop so far with a couple of small annoyances which I’m happy to post to the list separately if people would find that helpful.

Sean

Sent from my phone. Sorry if brief.


pixel fairy

unread,
Sep 25, 2017, 4:57:54 AM9/25/17
to qubes-users
i would find a list of annoyances with qubes 4 on a librem 15 helpful. im thinking of getting one.

Theo

unread,
Oct 22, 2017, 4:08:30 PM10/22/17
to qubes-users
On Monday, 18 September 2017 13:33:31 UTC-7, alexc...@gmail.com wrote:
> Has anyone here successfully disabled the Intel ME yet?


Purism says they are diabling it by default on all laptops they are sending out now.

Ref:
https://puri.sm/posts/deep-dive-into-intel-me-disablement/

Now if only the hardware was just slightly more powerfull and future oriented.

Reply all
Reply to author
Forward
0 new messages