In last week’s post, I mentioned that even though you can change a lot of things about your computer, you can’t disable certain scary “features” that the manufacturer has forced on you, such as the Intel Management Engine (ME). Today I want to talk about it, and why its existence is a bad thing.

Since about 2008, virtually every computer with an Intel chipset comes with a component known as the Management Engine. The Management Engine is a separate processor that runs on proprietary and secret firmware that no one can see or change. Okay, so no big deal just yet. After all there are a lot of chips in your motherboard with proprietary firmware. But what distinguishes the ME from the others is that it practically has total control of your device. It is essentially a second computer within your computer that you can’t do much about: Intel’s CPUs have another intel inside.

The Management Engine is the hardware part of a system which Intel calls the Active Management Technology (AMT). Its intended (or, at least, stated) purpose is to let IT personnel manage, administer and troubleshoot hardware remotely, without being physically present anywhere near the computer. Just open up a management interface and you have full control over a device that, from the outside, looks like it is turned off. I’d say this is a pretty good feature for servers in a data center. It may be difficult for the right person to troubleshoot them to always be nearby, and such powerful remote management capability makes things easier. For devices sold to businesses, it is pretty understandable too. The company that buys the computers owns them, even if they’re actually used by employees. But the consumer market is where the downsides beat the benefits (if there are any to begin with).

Here is a small list of what the Management Engine can do:

  1. It can access the entirety of the computer’s memory without the main processor’s knowledge. It can access other hardware, including the hard disk and input devices.
  2. It can turn on and function even when your computer is turned off, provided a power source such as a connected power cord or a battery is available. It can also function when critical pieces of hardware like the main memory have failed.
  3. It can use its in-hardware TCP/IP stack to communicate over the internet when a connection is available. It has a dedicated connection to the network controller.

Here is a small list of things you cannot do about it:

  1. You cannot fully disable it. The AMT can be disabled, but there is no way for an end user to disable or turn off the Management Engine itself.
  2. You cannot access or read the firmware it runs, as it is encrypted with a 2048-bit RSA key.

The single major problem with all of this is that every system has security vulnerabilities, and the Management Engine is no exception. In fact, several vulnerabilities have already been discovered, and some give an attacker total control over the attacked device. Intel has published patches for the vulnerabilities, but it is virtually impossible for the security updates to reach all affected devices. But there’s a problem bigger than known security loopholes and they are zero days - vulnerabilities known only to attackers. If a nation-state surveillance agency or other malicious group has knowledge of such a vulnerability, then the sheer number of devices that are at risk, and the sheer amount of control an attacker would have is mind-boggling. Not being able to disable the Management Engine means we don’t have control over of what runs on our own computer. It means a fundamental freedom of the user has been encroached upon.

So is there anything you can do about it? How about something that runs on AMD? Surely they wouldn’t have any of that ME stuff. Yeah, but they have something else - the Platform Security Processor (PSP). Different name, but the same purpose. There are some OEMs selling laptops with the ME disabled. So if you really care about control and security enough to buy a new device, you could do it. If not, probably the only other option would be waiting for some clever security researcher to reverse engineer the system enough to find a way to reliably disable it.