News Stay informed about the latest enterprise technology news and product updates.

Intel kill switch ME code indicates connection to NSA

Researchers discovered an Intel kill switch hiding in one of the chipmaker's software products, along with references to an NSA program focused on secure computing.

Security researchers studying the Intel Management Engine discovered an undocumented kill switch in the code, as...

well as references to a National Security Agency program.

Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU, with deep access to system processes, and it could be active even if the system were hibernating or shut off.

Lamar Bailey, director of security research and development at Tripwire Inc., based in Portland, Ore., said the Intel ME is "an out-of-band remote management interface" that is not uncommon in hardware.

"The problem happens when there are vulnerabilities in these interfaces or weak authentication issues. The remote management interface has the ability to take over and modify a system. So, to many, they are seen as security risks, and they are often the target of research and hackers," Bailey told SearchSecurity. "Many organizations, both commercial and federal, disable these features due to security concerns."

Finding the Intel kill switch

It was previously thought that the Intel ME was impossible to access or disable because, as the Positive Technologies researchers noted in their analysis, "the executable modules are compressed by Huffman codes with unknown tables." But the researchers found a way around this.

When inspecting the Intel ME code, the researchers found a field labeled "High Assurance Platform (HAP) enable," which is a reference to "a multiyear NSA program with the vision to define a framework for the development of the 'next generation' of secure computing platforms," according to the Trusted Computing Group.

The researchers said this was essentially an Intel kill switch for the Management Engine, because once that feature was enabled, "quick checks showed that ME did not respond to commands or react to requests from the operating system." And because the HAP feature disabled Intel ME at such an early stage of system boot, it won't cause the ME to crash. However, the researchers couldn't find a way to disable the Intel kill switch.

Intel did not respond to SearchSecurity's requests for comment on this story. However, a company representative did confirm the Intel kill switch was introduced under request by the U.S. government and the HAP program, but noted the "modifications underwent a limited validation cycle and are not an officially supported configuration."

Reactions to the Intel kill switch

Bailey said any customer big enough could make a vendor consider implementing a feature like the kill switch, "no matter if they are commercial or federal."

"If I were using these in a highly classified area or even a secure data center, I would demand these features be turned just like we disable external port like USB," Bailey said. "It's just another lock on the system as companies and organizations secure their data and information."

Satya Gupta, co-founder and CTO at application security vendor Virsec in San Jose, Calif., said the Intel kill switch "at the chip level may sound nefarious, [and] it's almost inevitable for any technology to have a reboot function if all else fails."

"Technology backdoors are always problematic and a very slippery slope. We've seen this with the encryption debate -- if there's a backdoor, it will almost inevitably get in the wrong hands and become a huge liability," Gupta told SearchSecurity. "And if the U.S. has a backdoor, should this be shared with allies? Will China demand their own backdoors to allow access to their markets?"

Philip Lieberman, president of Lieberman Software Corp. in Los Angeles, said the design of the processor "may have flaws that can be exploited by high-capability attack teams, but it is doubtful that backdoors have been implemented by design." 

"The Management Engine has been a work in process that deserves criticism for its lack of transparency, and it has not exhibited consistent quality. I attribute lack of security and potential kill switches to poor engineering quality by Intel, rather than collaboration with intelligence agencies," Lieberman told SearchSecurity via email. "In reality, government agencies may very well be helping Intel close security holes they have inserted by mistake -- the U.S. government agencies might not be evil or conniving as some might believe."

Next Steps

Learn why former CIA and NSA director Michael Hayden supports strong encryption and not backdoors.

Find out how an Intel AMT flaw can allow attackers to gain device access.

Get info on how privileged user management tripped up the NSA.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think of the Intel Management Engine kill switch?
Great publication, Mike! Kill it!
Better find out how this affects NSA level A1. This is the highest security level available and developed at the NSA by Dr. Roger R. Schell, former NSA Deputy Director, and a friend. Check out and talk to Roger about GEMSOS with security kernel secure OS with the secure kernel. He would have much to say on the subject of the Intel 'kill switch'.
Is it possible that this "kill switch" could cause a board to fail? I had a Dell workstation that failed after applying the latest Intel ME update. It starting showing USB detection failures. After I powered it off in the evening (after applying the ME update) and attempting to start it up the next morning, it would no longer power on. Is there a possible connection with the ME update?