Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.
The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.
For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.
Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.
The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.
Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.
In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.
The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.
The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!
This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.
“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.
“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”
The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).
On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.
In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.
“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.
Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.
Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.
Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.
The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.
“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”