Intel Hidden Management Engine – x86 Security Risk?


So it seems the latest generation of Intel x86 CPUs have implemented a Intel hidden management engine that cannot be audited or examined. We can also assume at some point it will be compromised and security researchers are labelling this as a Ring -3 level vulnerability.

Intel Hidden Management Engine – x86 Security Risk?

This isn’t a new issue though, people have been talking about this since last December and similar issues for a while with BMC (Baseboard Management Controller) and other out-of-band system management hardware add-ons.

There’s a question on Quora about it too, with no real answer – Should I be worried about security backdoors in Intel’s Management Engine and Active Management Technology features?

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I’ve made it my mission to open up this system and make free, open replacements, before it’s too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that’s physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel’s Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.


The slightly worrying part is the Intel ME chip can access any memory location without the host Operating System knowing anything about it, and can also run a TCP/IP server on your network interface and bypass any firewall running.

So if it DID get compromised, it’d be the perfect conduit to steal information without being detected. Obviously on a corporate network with a centralised proxy, firewall or NAT device you’d have a better chance of catching the packets.

But it still seems extremely risky.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called “Intelligent Platform Management Interface” or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

While AMT can be a great value-add, it has several troubling disadvantages. ME is classified by security researchers as “Ring -3”. Rings of security can be defined as layers of security that affect particular parts of a system, with a smaller ring number corresponding to an area closer to the hardware. For example, Ring 3 threats are defined as security threats that manifest in “userspace” mode. Ring 0 threats occur in “kernel” level, Ring -1 threats occur in a “hypervisor” level, one level lower than the kernel, while Ring -2 threats occur in a special CPU mode called “SMM” mode. SMM stands for System-Management-Mode, a special mode that Intel CPUs can be put into that runs a separately defined chunk of code. If attackers can modify the SMM code and trigger the mode, they can get arbitrary execution of code on a CPU.

Although the ME firmware is cryptographically protected with RSA 2048, researchers have been able to exploit weaknesses in the ME firmware and take partial control of the ME on early models. This makes ME a huge security loophole, and it has been called a very powerful rootkit mechanism. Once a system is compromised by a rootkit, attackers can gain administration access and undetectably attack the computer.

So what we have here is basically a hardware based, Intel built, Ring -3 rootkit which we just have to hope and pray doesn’t get hacked.

And on newer systems, ME cannot be disabled.

As it operates completely out-of-band, the OS can’t even scan ME to see if it’s been compromised and can’t ‘heal’ a hacked ME chip.

Source: Boing Boing

Posted in: Exploits/Vulnerabilities, Hardware Hacking

, ,


Latest Posts:


truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.


3 Responses to Intel Hidden Management Engine – x86 Security Risk?

  1. kRyTiCaL June 18, 2016 at 10:48 pm #

    Am I the only one thinking this is a built in backdoor for Govt spying?

    • Darknet June 20, 2016 at 1:36 pm #

      No, you aren’t.

  2. Mike June 20, 2016 at 2:49 pm #

    What is the purpose of the ME? Can the user access it to see what’s going, do hardware diagnostics etc?

    What’s the difference between this and HP’s iLO that’s built into its servers?