Security researchers studying the Intel Management Engine discovered an undocumented kill switch in the code, as...
well as references to a National Security Agency program.
Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).
Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU, with deep access to system processes, and it could be active even if the system were hibernating or shut off.
Lamar Bailey, director of security research and development at Tripwire Inc., based in Portland, Ore., said the Intel ME is "an out-of-band remote management interface" that is not uncommon in hardware.
"The problem happens when there are vulnerabilities in these interfaces or weak authentication issues. The remote management interface has the ability to take over and modify a system. So, to many, they are seen as security risks, and they are often the target of research and hackers," Bailey told SearchSecurity. "Many organizations, both commercial and federal, disable these features due to security concerns."
Finding the Intel kill switch
It was previously thought that the Intel ME was impossible to access or disable because, as the Positive Technologies researchers noted in their analysis, "the executable modules are compressed by Huffman codes with unknown tables." But the researchers found a way around this.
When inspecting the Intel ME code, the researchers found a field labeled "High Assurance Platform (HAP) enable," which is a reference to "a multiyear NSA program with the vision to define a framework for the development of the 'next generation' of secure computing platforms," according to the Trusted Computing Group.
The researchers said this was essentially an Intel kill switch for the Management Engine, because once that feature was enabled, "quick checks showed that ME did not respond to commands or react to requests from the operating system." And because the HAP feature disabled Intel ME at such an early stage of system boot, it won't cause the ME to crash. However, the researchers couldn't find a way to disable the Intel kill switch.
Intel did not respond to SearchSecurity's requests for comment on this story. However, a company representative did confirm the Intel kill switch was introduced under request by the U.S. government and the HAP program, but noted the "modifications underwent a limited validation cycle and are not an officially supported configuration."
Reactions to the Intel kill switch
Bailey said any customer big enough could make a vendor consider implementing a feature like the kill switch, "no matter if they are commercial or federal."
"If I were using these in a highly classified area or even a secure data center, I would demand these features be turned just like we disable external port like USB," Bailey said. "It's just another lock on the system as companies and organizations secure their data and information."
Satya Gupta, co-founder and CTO at application security vendor Virsec in San Jose, Calif., said the Intel kill switch "at the chip level may sound nefarious, [and] it's almost inevitable for any technology to have a reboot function if all else fails."
"Technology backdoors are always problematic and a very slippery slope. We've seen this with the encryption debate -- if there's a backdoor, it will almost inevitably get in the wrong hands and become a huge liability," Gupta told SearchSecurity. "And if the U.S. has a backdoor, should this be shared with allies? Will China demand their own backdoors to allow access to their markets?"
Philip Lieberman, president of Lieberman Software Corp. in Los Angeles, said the design of the processor "may have flaws that can be exploited by high-capability attack teams, but it is doubtful that backdoors have been implemented by design."
"The Management Engine has been a work in process that deserves criticism for its lack of transparency, and it has not exhibited consistent quality. I attribute lack of security and potential kill switches to poor engineering quality by Intel, rather than collaboration with intelligence agencies," Lieberman told SearchSecurity via email. "In reality, government agencies may very well be helping Intel close security holes they have inserted by mistake -- the U.S. government agencies might not be evil or conniving as some might believe."
Learn why former CIA and NSA director Michael Hayden supports strong encryption and not backdoors.
Find out how an Intel AMT flaw can allow attackers to gain device access.
Get info on how privileged user management tripped up the NSA.