In its ongoing exploration of Intel's Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.
The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.
The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.
In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla's ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.
"Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users," explain Goryachy and Ermolov. "However, this mode and its potential risks are not described anywhere in Intel's public documentation."
Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn't available to the public. It's intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME's internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).
In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.
Intel Management Engine JTAG flaw proof-of-concept publishedREAD MORE
"What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access," the researchers explain.
And because it turns out that device makers may not disable Manufacturing Mode, there's an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.
At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.
As Apple put it in its description of the firmware issue, "A malicious application with root privileges may be able to modify the EFI flash memory region."
Goryachy and Ermolov have posted Python code on GitHub to allow end-users with the appropriate Intel chips to check whether Manufacturing Mode has been disabled. They have previously described how to disable Intel's Management Engine almost entirely.
They contend that Intel's failure to provide public documentation of its tech leaves users at risk and they speculate that being able to reset the ME without doing the same to the CPU may lead to other security issues.
In an email to The Register, an Intel spokesperson said:
Protecting our customers’ data and ensuring the security of our products is a top priority for Intel. Manufacturing Mode is an essential CSME design feature that enables system manufacturers to configure systems during production. We provide system manufacturers with tools and guidance to properly configure systems before shipping. This includes setting "End of Manufacturing."
End users who are concerned about the status of their systems can check with their system manufacturer. As always, Intel encourages end users to follow good security practices and keep their system software and firmware up to date.
That goes for you too, Apple. ®