
An in-depth security review of the Intel Management Engine - marksamman
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
======
aeleos
Wow all 6th, 7th and 8th gen are all vulnerable along with a bunch of Xeon
processors. Even the laptop I am typing this on is vulnerable, this is going
to be messy. Plus all the fun vulnerabilities like arbitrary code execution,
unauthorized access to privileged content. These must be related to the
blackhat talk coming up in December about hacking a turned-off computer and
running unsigned code on ME [0]. Yep and the two researches doing the talk are
the two people credited in this announcement, Mark Ermolov and Maxim Goryachy.
Great work by them finding these vulnerabilities and disclosing them, these
are the kind of vulnerabilities that the NSA would salivate over.

I wonder if this will at all dissuade either Intel or AMD into continuing to
make these super privileged processors whose functions are completely hidden.
The cynic in me thinks that this will change absolutely nothing.

There is a great website called The Bad Thing [1] that has compiled the known
information about Intel ME.

I just ran the detection tool on my laptop and I am running a vulnerable
version of Intel ME, but I can't even do anything about it until my system
manufacturer provides a patch for it. I feel like this is going to be one of
those situations that ends up leaving millions of devices unpatched and
vulnerable a few years down the road.

[0]: [https://www.blackhat.com/eu-17/briefings/schedule/#how-to-
ha...](https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-
turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668)
[1]:
[https://www.cs.cmu.edu/~davide/bad_thing.html](https://www.cs.cmu.edu/~davide/bad_thing.html)

~~~
white-flame
> _I wonder if this will at all dissuade either Intel or AMD into continuing
> to make these super privileged processors whose functions are completely
> hidden._

I think many discussions miss the nuance here. The problem is that the
functionality is hidden, not necessarily that the function is there.

In corporate use, these tools can be incredibly useful. If they were more
transparent, then they could be used by normal users for remote administration
as well.

But it needs to be secure, and it needs to exist without secrecy. If this
portion were free for the user to configure, or if they allowed complete
disabling via motherboard jumper, or simply open sourced it, that would be a
better step.

However, the NSA's activities have destroyed all trust in these sorts of
features coming from an American company, so even if it were completely open
sourced, there's no guarantee that there isn't other hardcoded ROM also
executing in tandem with the open source components.

~~~
derefr
> or if they allowed complete disabling via motherboard jumper

That wouldn't really work; the ME is essentially "the CPU" of the Platform
Controller Hub. Disabling it would be disabling your computer (e.g. your
IOMMU, your DRAM refresh, your ACPI command routing, etc.)

All the stuff that used to be done "manually" by the CPU itself back in the
8086 days—using configured IRQs and PITs and whatever else—is done
autonomously by the PCH these days, with the CPU just asking the PCH to "get
it done." And the logic that runs in the PCH to interpret those requests and
decides _when and how_ to apply them, is executed by the ME.

The ME only managed to not exist previously, because mainboards were
previously both "simpler" (every bus spoke exactly one protocol and the
controller chip for that bus did the protocol signalling) and more complex
(tons of single-purpose controller chips.) The PCH boils all that down to one
chip, and it needs a CPU to do it, and that CPU is the ME. Getting rid of it
would mean going back ~15 years in computer capabilities.

(Another way to think of the PCH is that it's basically an SoC chip, with the
"heavy lifting" of application execution moved out to a separate, upgradable
CPU socket. But, like any SoC, it still does need _some_ sort of internal CPU.
The ME is that CPU.)

~~~
throwaway613834
>> or if they allowed complete disabling via motherboard jumper

> That wouldn't really work; the ME is essentially "the CPU" of the Platform
> Controller Hub. Disabling it would be disabling your computer (e.g. your
> IOMMU, your DRAM refresh, your ACPI command routing, etc.)

Then how does Intel disable it for governmental customers (high-assurance)?

~~~
rphlx
The GP is simply wrong on many/most of its technical claims. ACPI
implementations were common for 4+ years before the ME existed. The ME is not
involved in DRAM refresh or initialization at all (other than waiting for it
to complete..). DRAM refresh is hardened into the IMC, and the initialization
SW runs on the x86_64 cores - typically it's a UEFI binary blob provided by
Intel. Once the OS is running, it manages the IOMMU, and the IOMMU itself is a
hardened function; the translations that it performs for the OS do not involve
the ME. And so on.

Though the ME currently performs some complex early initialization tasks, the
notion that a modern x86_64 platform simply cannot work, or cannot work
efficiently, without the ME running indefinitely/alongside the OS is plainly
wrong.

~~~
zkms
> The GP is simply wrong on many/most of its technical claims

I concur. Also regarding: ACPI, there often is an auxiliary microcontroller
used to do power management and keyboard interfacing called "embedded
controller" (sometimes there's also a mysterious ASIC, part numbers for them
include Rohm BU77700KVT Toshiba TB62D515FG,TB62501F) that lives on some SMBus
and with which the ACPI implementation, running on the main processor, talks
with.

~~~
TD-Linux
On newer Thinkpads, the firmware for the EC is on the same SPI Flash as the ME
firmware, but on a different partition. The EC is an entirely separate chip
(labeled ThinkEngine) and by virtue of being only on SMBus is a lot less
dangerous.

------
jlgaddis
I prefer the wording in Lenovo's security advisory [0]:

> _" Potential Impact: An attacker could load and execute arbitrary code
> outside the visibility of the user, operating system, and
> hypervisor/virtualization platform; resulting in exfiltration of secrets,
> subtle manipulation of system operation, or denial of service."_

[0]:
[https://support.lenovo.com/us/en/product_security/len-17297](https://support.lenovo.com/us/en/product_security/len-17297)

~~~
loop0
It is nice to know lenovo already has the updates, but sadly I'm gonna have to
install windows for that :(

~~~
jlgaddis
Go for the "bootable CD" option, if it's available. You don't need Windows for
that. My ThinkPads all run Linux and I have no problems updating them.

~~~
morpheuskafka
I think that's only for BIOS updates, not ME. ME uses an Intel provided flash
EXE. It would probably run on PE or definitely Windows to Go though.

~~~
lorenzhs
I figured out how to install it using Windows PE. First, get a Windows
installer image or WADK and mount it. Microsoft provides these, but hides the
download link well. Then get the ME firmware update installer and the AMT/ME
software installer from Lenovo and execute the unpackers with wine. From
~/.wine/drive_c/DRIVERS/WIN/AMT, do "cabextract SetupME.exe". You can discard
everything but the "HECI_REL" directory from this, including SetupME.exe.

Now you need wimlib to create the WinPE image: _" mkwinpeimg --windows-
dir=/mnt winpe.img --overlay=$HOME/.wine/drive_c/DRIVERS"_

The resulting winpe.img can be dd'ed to a USB thumb drive. Boot into it, and
execute "cd /WIN/AMT/HECI_REL/win10", "drvload HECI.inf" (to load the MEI
driver) and then "cd /WIN/ME/", "MEUpdate.cmd" to update the ME firmware.

------
lifty
Does anyone have an idea to what extent macbooks are affected? Intel ME is
baked in every CPU but according to The Register [0] the AMT part is not
running on Apple hardware.

[0]:
[https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulner...](https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/)

~~~
giobox
Most reports I've read, including the one you have just linked, state Apple
hardware as unaffected by this.

~~~
tmsldd
Is there a official position/statement from Apple on this?

~~~
robertcw_3rd
No, not yet. I went into my local Apple store and brought it up to one of the
genius's and they haven't heard anything at all about the exploit from HQ.
But, I can confirm that Intel's ME is present in all Apple macs. The physical
hardware is completely unchanged according to the Apple genius bar employee.

It's unclear to me whether or not Apple uses Intel firmware for the non AMT
portions of ME. I will report back to you when I find out. However, the
evidence I've seen so far isn't looking too good, and it definitely looks like
the vast majority of macs made in the last 5 years are all vulnerable, many
appearing to run outdated Intel firmware to boot -- not good for Apple.

The evidence can be seen here,

[https://apple.stackexchange.com/questions/306959/intel-
manag...](https://apple.stackexchange.com/questions/306959/intel-management-
engine-is-macos-vulnerable)

where some people run a python program to check the version of their ME
firmware (which works and returns numbers completely consistent with Intel
firmware numbering). I wonder if Apple just isn't aware of the hack yet?

------
tpearson-raptor
Yet another reason owner-controlled machines like the Talos™ II [0] are so
important. Yes, it may cost a bit more up front, but what's the cost again of
having your data stolen and then, especially with the older machines here,
having to replace all of your hardware to boot?

Plus, purchasing machines like that one not only sends a clear signal that we
want backdoor-free computing, but also allows the further development of more
libre computing options. Wouldn't you rather have Linux and BSD as first-class
citizens on new hardware, instead of always needing to play catch-up from
behind?

[0] [https://raptorcs.com/TALOSII/](https://raptorcs.com/TALOSII/)

~~~
reirob
From their FAQ:

Q: Why preorders? Why can't I evaluate a production machine right now?

A: Although we have Talos™ II hardware in our labs, IBM has not yet released
the POWER9 CPU to the general public. The POWER9 launch is scheduled for Q4
this year; we intend to make Talos™ II available to everyone shortly after
POWER9 launch via our pre-order model. This model allows us to manage supply
of the Talos™ II systems for Q4 shipment, and we intend to transition to a
more standard ordering model once the POWER9 processor has reached general
availablility (GA). Orders placed after our pre-order cutoff will not ship
until 2018, and you would be missing out on the benefits of early market
access to the POWER9 processor, so we strongly recommend that you place your
pre-order as quickly as possible!

------
computator
Don't rush to apply the Intel ME patch!

Several HN users here (beefhash, jlgaddis, joe_the_user) have raised the
possibility that applying the patch might make it impossible to get rid of the
Intel ME entirely.

If you don't apply the patch, someone may come up with a nice new exploit
(using the security bugs) to completely remove the Intel ME.

If you do apply the patch, it might close off possible exploits and you'll be
left with an Intel ME that's impossible to remove.

~~~
beefhash
While we're on the topic -- is there some IRC channel or something dedicated
to Intel ME research?

~~~
nullc
Well I just created ##intelme on freenode. Though, I'm just a nobody whos
managed to get his laptop me_cleanered.

Feel free to join.

------
wonderous
Anyone able to explain why Intel’s severity rating for this is “important” and
not “critical”; meaning of the terms per Intel’s own words:

“Critical: A vulnerability, which if exploited, would allow remote execution
of malicious code without user action.”

“Important: A vulnerability, which if exploited, would directly impact the
confidentiality, integrity or availability of user’s data or processing
resources.“

~~~
openasocket
This doesn't allow remote access, just privilege escalation. So you'd already
have to have some degree of access to the system to be able to use this
vulnerability.

------
joe_the_user
So, will Intel be patching both the vulnerabilities and the kludges people
have found to remove ME? Thus making some customers safer while maintaining
systemic risk for everyone?

"Asking for a friend"

~~~
discreditable
Intel provides patches to vendors. Vendors provide patches to you eventually
or never.

~~~
Sir_Substance
Who is my vendor if I assembled my computer myself?

~~~
lwhalen
The company who built your motherboard

~~~
Sir_Substance
I'll take your word for it I guess, but I don't see the logic. Why would my
motherboard manufacturer be involved in this process?

edit: maximum downvotes for a legitimate question, thanks all

~~~
artimaeis
The motherboard manufacturer integrated the chipset into their board. They
worked with Intel, or Intel's spec/API directly. They are responsible for your
machine's interaction with the CPU.

The same is true of all the devices directly integrated into your motherboard.
Broadcom/Intel wireless chipset, Ethernet, audio, etc.

------
beefhash
Good times when kernel privilege escalation was the worst you had to fear.

I'm not familiar enough with the Intel ME to tell, but could this possibly be
exploited with the arbitrary code execution in the ME being used to set the
HAP bit without requiring hardware intervention?

~~~
jlgaddis
That'd be pretty sweet, wouldn't it?

Maybe I'll hold off on patching for a bit.

~~~
mysterypie
> _Maybe I 'll hold off on patching for a bit._

I think you're suggesting extremely interesting but I'm not totally clear on
it. So someone[1] has come up with some code to either disable (kill switch)
or remove the Intel ME. (Setting the HAP bit is the kill switch.)

Now Intel and its vendors are going to issue a patch for the Intel ME. Are you
saying that as a result of applying this patch we might not be able disable or
remove the Intel ME? In other words, we'll end up with a slightly more secure
Intel ME, but be worse off since we can't exploit any bugs to get rid of it?

If I'm understanding you correctly, this sounds like the iPhone situation:
upgrade to a newer iOS and lose the ability to jailbreak.

[1] [https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-
bi...](https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit)

~~~
jlgaddis
Basically, yeah.

Hold off on patching this vulnerability so that it can be exploited later in
order to disable ME entirely. Their firmware updates could very well close off
these existing "known holes", making them impossible to exploit.

If we can take advantage of them to kill the ME entirely, that's even better
than Intel releasing this fix.

------
jlgaddis
In my case, their Linux detection tool is less than useless:

    
    
      $ sudo ./intel_sa00086.py
      ...
      *** Risk Assessment ***
      Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
      ...
    

Thanks, Intel!

If you have a Lenovo machine, check Lenovo's security advisory [0] to see if
it is affected. Intel has the wrong URL in their link.

 _Edit:_ FWIW, the (Linux) tool creates a .log (and .xml) file in the current
directory that was _slightly_ more helpful:

    
    
      $ tail -n 4 SA-00086-cluefire-2017-11-20-21-09-36.log
      HECI error: No device with MKHI found[2]
      Can't find SPS version in the tool output
      Status: HECI_NOT_INSTALLED
      Tool Stopped
    

This workstation doesn't have an "HECI" [1], apparently. It _does_ have SPS,
but "spsInfoLinux64" throws an error too:

    
    
      Error 9460: Unknown or unsupported hardware platform
    

This box has 2 x E5-2620 v4 CPUs so it is reportedly "not affected" but I
thought I'd double-check anyways. Oh well, I won't miss out on all the
excitement -- I'll still get to have some fun updating my other machines and
all of $work's servers in the datacenters. :/

[0]:
[https://support.lenovo.com/us/en/product_security/len-17297](https://support.lenovo.com/us/en/product_security/len-17297)

[1]:
[https://en.wikipedia.org/wiki/Host_Embedded_Controller_Inter...](https://en.wikipedia.org/wiki/Host_Embedded_Controller_Interface)

~~~
aeleos
I get the exact same thing, I might be wrong but I don't think that the
windows version does anything different. According to the website it seems
that the vendor needs to provide software to patch the firmware.

------
hoodoof
I'd have preferred to hear something along the lines of "We'll be stopping
implementing this technology in future CPUs"

~~~
CodeWriter23
Or at least a jumper-select to disable it.

------
xwvvvvwx
Unreal. Kept scrolling and the vulnerabilities kept coming.

Most annoying thing is that there isn’t even a real alternative. If I
understand it right then AMD chips have pretty much the same thing?

~~~
thg
Well, maybe AMD does at least _some_ security reviewing on their own? /s

ARM could be a affordable alternative to x86 if that works for you.

~~~
disconnected
> ARM could be a affordable alternative to x86 if that works for you.

Even the open source friendly Raspberry Pi relies on proprietary blobs and
proprietary firmware, with vast parts of the documentation only being
available to system integrators (meaning: not you) under an NDA.

Theirs is a Broadcom chip, but my understanding is that the scenario is pretty
much the same for other ARM vendors. If the chip is anything more complicated
than your average 8-bit micro-controller, expect it to be running some kind of
"system" which is, of course, closed source.

~~~
khedoros1
The stuff running on the ARM itself is all open, but the firmware blob runs on
a separate CPU with a different instruction set, which has a view of the
entire memory map of the device and ultimate control over the device's
behavior (sound familiar?).

I may be wrong, but my impression is that a lot of the other ARM boards out
there have the ARM chip as the main CPU, and without a management chip
watching it. In any case, a board like that, or a Pi with a reverse-engineered
firmware blob (currently in development) would be better than the Raspberry Pi
as it is now.

------
stablemap
Helpful thread from Matthew Garrett at Google:

[https://twitter.com/mjg59/status/932730696614813696](https://twitter.com/mjg59/status/932730696614813696)

------
revelation
It's bad enough Intel have created the ultimate trojan, but their detection
tool can't even fix the problem!

The tool rightly points out that my desktop consumer system is vulnerable
(from the list, no Intel CPU manufactured in the last 5 years isn't), then
suggests I contact the manufacturer for an update. Here is what the tool says
my system manufacturer is:

    
    
        Manufacturer: To Be Filled By O.E.M.
        Model: To Be Filled By O.E.M.
    

I will get right on that and bug "To Be Filled By O.E.M." for an update! It's
an ASRock motherboard, by the way. But with this approach they are not going
to patch even 5% of personal computers out there..

~~~
kw71
This isn't uncommon. You're not wrong to expect that, if they did not do their
job when configuring these data, they will not do anything to support you
postsale. Their lifecycles are so short maybe your product is several
generations old now.

Some of the board vendors do a better job, but usually still not as good as
"namebrand computers." There is a lot of engineering work that goes into
integration. It's not readily visible to endusers/consumers and therefore
difficult for us to appreciate it or evaluate it for completeness or accuracy.

I hope that someone does a survey of computer and board vendors' support for
this problem. I would like to see who abandons products last.

------
Sephr
They still haven't publicly documented and supported the HAP bit.

If Intel actually cared about your security they would document that. It says
so right in the security advisory that the external researchers are the reason
for the security review, and not due to customer concerns.

------
0culus
How does this affect Apple products? I've looked around for discussion of
Intel ME with regards to Apple and the silence out there is deafening. [edit]
I guess I also want to know is, does Apple provide Intel firmware patches
bundled with their own software update?

~~~
mrsteveman1
I suspect they'll be patching this one, but I don't know if they have updated
the ME firmware in the past.

However, Intel's own platform tools (MEInfo and MEManuf running in a UEFI
shell) can't even communicate with the ME on my 2015 Macbook Pro, so I would
be quite interested to know what exactly they have done differently with
regard to configuring the platform.

People have been archiving every version of the ME firmware for each chipset,
and it would appear there are some versions that may be specific to Apple
hardware. I'm not sure _what_ is different, if anything, but you can see (and
download) the particular firmware versions here: [https://www.win-
raid.com/t596f39-Intel-Management-Engine-Dri...](https://www.win-
raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-
Tools.html)

~~~
0culus
Very interesting! Thanks for the link. I'm curious if Apple has done something
to disable it either themselves or via a special deal with Intel. It's also
interestingly timed with the announcement of the new iMac apparently having an
A10 coprocessor.[0]

[0]: [https://www.macrumors.com/2017/11/19/imac-pro-a10-chip-
hey-s...](https://www.macrumors.com/2017/11/19/imac-pro-a10-chip-hey-siri/)

------
eecc
Wow, just imagine what this means to cloud, you get to own not one server of
an org... but several orgs at the same time!

------
k2enemy
It looks like they specifically label CVEs that require local access as such.
Does anyone know if "via unspecified vector" means network access?

~~~
dboreham
Surely in that case it would say something like "attacker with access to the
lan connected to the machine's NIC" ?

------
cjsuk
This will be trying to close off the holes used to get at the ME OS I reckon.

~~~
sigzero
Technically speaking, that is a security vulnerability. So it wouldn't
surprise me.

------
fernly
The detection tool for Linux is a Python 2 script. It contains ~15 print
statements. If you change them to print functions, the script works fine on
Python 3.

The Intel dudes could have added "from future import print_function" and made
it version-independent.

------
teolandon
This time it's only 6th Generation Core processors and up? I thought even the
older ones had pretty much the same version of ME installed, which had the
previous vulnerability.

~~~
my123
6th gen and later ME are fully different. They are Minix and x86-based, while
earlier ME is ARCCompact with the ThreadX RTOS

------
En_gr_Student
So after it is exposed, after 3 generations of products, do they admit it is
not a "feature". I can't imagine why they thought this kind of escalation
couldn't be cracked by a 3rd party, or how it would bring brand value. This is
"clipper" and yes, the hacker can control it. Dangit. Sell-outs.

I'm just waiting for the ransomware that lives on AME, and is burned to the
various dies instead of on hard-drives. Isn't that what this open door means?

------
fencepost
The question then becomes which of any of these can be exploited by a non
administrator local user or remotely via LAN (which might include the local
machine depending on handling of loop back). Personally I can already see a
bunch of on site upgrades I'm probably going to have to do for small clients.

I almost wish it covered 3rd-5th generation, just to help me push some folks
to upgrade.

------
xwvvvvwx
Could someone explain what Management Engine is actually used for?

It’s still not really clear to me why it needs to exist at all.

Serious question.

~~~
ficklepickle
Remote administration. Installing a new OS remotely, for example. There is
legit demand for that. Imagine manually re-imaging 1000 workstations or
servers.

~~~
akvadrako
That is AMT, which is just one application on the ME. More in general it aims
to handle things the system should do independently of the OS, even when
powered down.

That _can_ include advanced power management, secure computing stuff, watchdog
functions and stuff like that.

------
mysterypie
When I run the detection tool, I get:

 _Based on the analysis performed by this tool: Detection Error: This system
may be vulnerable, please install the Intel(R) MEI /TXEI driver (available
from your system manufacturer)._

Does that mean that the Intel ME is disabled, so I don't have to worry about
it? I certainly don't want to install anything that might enable the Intel ME
if it's already disabled!

What a quandary. This reminds me of all the information I was asked to give to
get a detailed credit report. If I didn't give it, they weren't going to give
me the report. If I gave it, they would add to my credit file even if they
never had it before.

~~~
rst
That's what you get if the tool can't identify the ME version. (I get "not
vulnerable" if I run the script with sudo -- ME version too old for these
vulns, though likely has other, undisclosed vulns -- but without sudo, I get
"may be vulnerable", since it can't talk to the kernel driver.)

------
nly
So while us technonerds wait and see whether our OEMs will bother to push out
firmware updates sometime in the next 6 months, remember that 99% of users
will go unpatched anyway because grandma never upgrades her BIOS.

------
pwdisswordfish2
Original title: "Security vulnerabilities discovered in Intel ME"

~~~
nullc
The original title was more accurate.

------
avocad
This reminded me of the famous lecture by Ken Thompson, Reflections on
Trusting Trust:

[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

Basically you have to trust the compiler because it compiles all code on your
system, including itself. Not entirely the same, and I think the Intel trick
is more nefarious.

------
blinkingled
So does this mean 5th gen and below ones are not vulnerable or Intel just
couldn't be bothered to review the ME version on those? Unclear from the
article.

------
dboreham
Does "attacker with local access to the system" mean "physical access to the
system"?? Initially I thought it meant "attacker able to run an unprivileged
process on the system" but then I see other wording that seems to imply that
case, so does "local access" mean physical access? (e.g. connect a USB drive,
boot the box off their own media?)

~~~
berbec
The examples I've heard about are plugging a usb drive in and that's the
ballgame. The big one, that I have not heard of, would be accessing the ME and
privilege elevation over network.

~~~
jackhack
Network is a problem.

As I understand it, the ME subsystem is an overseer, and is running even if
your main PC is powered off. It has control over the network, unobservable
from the downstream CPU/OS. It could therefore receive commands/input from the
network and update itself while "off", or transmit data outbound. So unless
the system is unplugged from the wall, the ME subsystem could be doing God-
knows-what.

------
dboreham
I don't see any remote exploits here (other than "attacker with remote admin
access..."). Is that correct? Presumably an attacker with remote admin access
is already all powerful? Or is the concern that they can backdoor the hardware
in an undetectable way, remotely?

~~~
reificator
A vulnerability where someone can remote control your machine is bad.

A vulnerability where someone can remote control your machine even after you
swap out all local storage and install a new OS is another thing entirely.

~~~
dboreham
True but I'd still like the nature of access required to exercise these
vulnerabilities clearly defined. e.g. if I have a box that I've maintained
strict physical control over, and not allowed admin access to an attacker,
does that mean said box can't have been subverted via these vulnerabilities?

------
jacquesm
So, what's the best ARM based laptop that runs without binary blobs?

------
unixhero
Would you upgrade the firmware or leave it in?

Who knows what benefits this defect can give you down the line. Maybe it will
be possible to take over the entire Management Engine. That would be neat.

------
locusm
What was wrong with IPMI for out of band management? What problem was ME
actually solving?

~~~
cjpb
The question I think people should be asking is not "what problem was it
solving?", but rather "why was it implemented directly into the processors
hardware/firmware?"

------
polskibus
Can this vulnerability be used to take over public cloud?

~~~
my123
MEI is only exposed to the VM host, not to the guests thankfully.

------
partycoder
The ME should not even exist. Best way to secure it is to remove it. Problem
solved.

They will of course not let go because it's a backdoor. It's an overprivileged
computer within your computer.

~~~
arca_vorago
The NSA has an NSL and threats of jail to anyone at Intel who pushes back
against this. Inslaw and Promis was always leading to this, and that's why
they killed Danny Casalero.

------
trisimix
Hackings back baby, whose ready for Hackers 2?

------
vellipylly
what i don't get is how would the consumer benefit of having these features?
it all looks like a nonsense to me and I'd rather live without it. i think
it's time to say goodbye to Intel and opt for another vendor.

~~~
kowdermeister
That's the problem. There are no REAL alternatives.

~~~
vellipylly
I'd be glad to switch to raspberry pie or AMD, but I don't know whether or not
those chips have similar crap in them. is the Intel alone with this? do others
do it too?

------
_pmf_
Ah, the smell of a billion dollar class action lawsuit in the morning!

------
revmoo
So does this updated firmware remove the backdoor or just re-secure it so it
can't be removed?

~~~
berbec
Best I can tell, the are re-locking the door and hoping no one else picks the
lock.

------
geth
I would be curious to know what the attack scenario is exactly? I assume this
is local, not remote, but the article is not very specific. Furthermore, has
any kind of PoC been published?

