[German]It seems, that Apple has forgotten to lock the Intel Management Engine (Intel ME) against manipulation on some notebooks and left a maintenance mode open. This is the latest finding in Intel Management Engine research.
The Intel Management Engine (Intel ME) has been included in most Intel chipsets since 2008. However, the whole thing is highly controversial, as it expands the attack surface of Intel-based hardware. In the event of a threat, it becomes a side channel threat to the main processor.
The security researchers of Positive Technologies have dedicated themselves to the ‘decoding’ of the Intel Management Engine for some time now and have achieved some drastic successes (see link list at end of article).
The Electronic Frontier Foundation called Intel ME last year a security risk and demanded a way to deactivate it. With the findings of researchers at Positive Technologies, this is now possible. In the ongoing research of Intel’s Management Engine (ME), Positive Technologies security researchers have once again uncovered an example of the short-sightedness of the development a la Security by Obscurity.
The Register has picked it up here, but the original story of Maxim Goryachy and Mark Ermolov can be found here. The researchers were able to show that Chipzilla’s Intel ME, along with other little-known features such as the High Assurance Platform Mode, contains an undocumented Manufacturing Mode.
“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing and should therefore be disabled (closed) before sale and shipment to users,” Goryachy and Ermolov write . “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.
The manufacturing mode can only be accessed with a utility included in the Intel ME System Tools software. This utility is not available to the public. It is intended to configure important platform settings in a one-time programmable memory called Field Programming Fuses (FPF) before shipping the product and in the internal MFS (Minux File System) from ME to SPI (Serial Peripheral Interface) flash memory using parameters known as CVARs (Configurable NVARs, Named Variables).
In chipsets off Apollo Lake, Goryachy and Ermolov observed, Intel kept the access rights for its management engine, Gigabit Ethernet, and CPU separate. However, the SPI controllers in newer chips have a capability called Master Grant that overrides the access rights specified in the SPI descriptor.
“This means that even if the SPI descriptor prohibits host access to an SPI region of ME, ME may still allow access,” the researchers explain. It now turns out that device manufacturers are not allowed to deactivate the manufacturing mode. This allows an attacker with local access to modify the Intel ME to allow writing of arbitrary data.
At least one Intel customer, Apple, was unable to disable the manufacturing mode. The researchers analyzed notebooks from several computer manufacturers and found that Apple had left manufacturing mode enabled. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June with the MacOS High Sierra 10.13.5 update. Apple writes in its description of the firmware problem: “A malicious application with root privileges may be able to change the EFI flash memory area”.
Goryachy and Ermolov have released Python code on GitHub to allow end users with the appropriate Intel chips to verify that manufacturing mode has been disabled. The security researchers claim that Intel’s failure to provide public documentation of its technology puts users at risk. They speculate that the ability to reset the ME without doing the same with the CPU could lead to other security issues. Intel is weighing up, but I think that thing is broken by design.
Security: TPM vulnerable; and dump mode for Intel ME
Hack: Disable Intel’s Management Engine
Warning against Intel Extreme Tuning Utility (XTU) V188.8.131.52
Intel: No Microcode Updates for some older CPUs