Apple forgot to lock Intel Management Engine in laptops, so get patching

Chipzilla's security through obscurity withers under scrutiny

In its ongoing exploration of Intel's Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.

The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.

The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.

In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla's ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.

"Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users," explain Goryachy and Ermolov. "However, this mode and its potential risks are not described anywhere in Intel's public documentation."

Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn't available to the public. It's intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME's internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.

image of binary on screen with word 'exploit'

Intel Management Engine JTAG flaw proof-of-concept published


"What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access," the researchers explain.

And because it turns out that device makers may not disable Manufacturing Mode, there's an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.

At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.

As Apple put it in its description of the firmware issue, "A malicious application with root privileges may be able to modify the EFI flash memory region."

Goryachy and Ermolov have posted Python code on GitHub to allow end-users with the appropriate Intel chips to check whether Manufacturing Mode has been disabled. They have previously described how to disable Intel's Management Engine almost entirely.

They contend that Intel's failure to provide public documentation of its tech leaves users at risk and they speculate that being able to reset the ME without doing the same to the CPU may lead to other security issues.

In an email to The Register, an Intel spokesperson said:

Protecting our customers’ data and ensuring the security of our products is a top priority for Intel. Manufacturing Mode is an essential CSME design feature that enables system manufacturers to configure systems during production. We provide system manufacturers with tools and guidance to properly configure systems before shipping. This includes setting "End of Manufacturing."

End users who are concerned about the status of their systems can check with their system manufacturer. As always, Intel encourages end users to follow good security practices and keep their system software and firmware up to date.

That goes for you too, Apple. ®

Similar topics

Other stories you might like

  • Euro-telcos call on big tech to help pay for their network builds

    Aka 'rebalancing global technology giants and the European digital ecosystem'

    The European Telecommunications Network Operators' Association (ETNO) has published a letter signed by ten telco CEOs that calls for, among other things, Big Tech to pay for their network builds.

    The letter, signed by the CEOs of the Vodafone Group, BT Group, Deutsche Telekom, Telefónica, Orange Group and five more telco leaders, calls for a "renewed effort to rebalance the relationship between global technology giants and the European digital ecosystem".

    "A large and increasing part of network traffic is generated and monetized by Big Tech platforms, but it requires continuous, intensive network investment and planning by the telecommunications sector," the letter states, adding "This model – which enables EU citizens to enjoy the fruits of the digital transformation – can only be sustainable if such platforms also contribute fairly to network costs."

    Continue reading
  • AI-enhanced frog stem cells start to replicate in entirely new ways

    Xenobots scoop up loose cells to make more of themselves. We welcome our new overlords

    In January of 2020, scientists from the University of Vermont announced they had built the first living robots; this week they have published reports that those robots, made from frog cells and called Xenobots, can reproduce and have found a new way to do so.

    The millimetre-sized xenobots are essentially a computer-designed collection of around 3,000 cells. They were created by taking stem cells from frog embryos, scraping them, leaving them to incubate, then cutting them open and sculpting them into specific shapes. After all that action, the cells began to work on their own – auto-repairing when sliced and moving about inside petri dishes.

    With a little design tweak, the creatures could do even more. "With the right design, they will spontaneously self-replicate," said University of Vermont researcher Joshua Bongard, Ph.D. in a canned statement.

    Continue reading
  • Panasonic admits intruders were inside its servers for months

    Spotted the crack after it ended – still not sure what was lost

    Japanese industrial giant Panasonic has admitted it's been popped, and badly.

    A November 26 statement [PDF] from the company admits that its network "was illegally accessed by a third party on November 11, 2021". That date has since been revised – the company now says it became aware of the intrusion on the 11th, but that unknown entities had access to its systems from late June to early November.

    "After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network," the statement adds.

    Continue reading

Biting the hand that feeds IT © 1998–2021