​Computer vendors start disabling Intel Management Engine

UPDATED: Intel has admitted that its in-chip Intel Management Engine program has major security holes. Some PC vendors are now disabling Management Engine to protect their customers.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: AMD and Intel - Frenemies aligned vs Nvidia

Hidden inside your Intel-based computer is a mystery program called Management Engine (ME). It, along with Trusted Execution Engine (TXE) and Server Platform Services (SPS), can be used to remotely manage your computer. We know little about Intel ME, except it's based on the Minix operating system and, oh yes, ME is very insecure. Because of this, three computers vendors -- Linux-specific OEMs System76 and Purism and top-tier PC builder Dell -- have decided to offer computers with disabled ME.

These ME security holes impact millions of computers. ME supports Intel's Active Management Technology (AMT). This is a powerful tool that allows admins to remotely run computers, even when the device is not booted. Let me repeat that: If your PC has power, even if it's not running, it can be attacked. If an attacker successfully exploits these holes, the attacker can run malware that's totally invisible to the operating system.

Most, but not all, of ME's vulnerabilities require physical access for someone to exploit. Another would valid requite administrative credential for remote exploitation. Still, it's worrisome.

Intel has released a detection tool so Linux and Windows users can detect if their machine is vulnerable. The company also has a page that provides links to support pages from each vendor, as they confirm vulnerable machines.

Intel has admitted that the following CPUs are vulnerable:

  • 6th, 7th, and 8th generation Intel Core Processor Family
  • Intel Xeon Processor E3-1200 v5 and v6 Product Family
  • Intel Xeon Processor Scalable Family
  • Intel Xeon Processor W Family
  • Intel Atom C3000 Processor Family
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium Processors
  • Intel Celeron G, N, and J series Processors

There are firmware patches either available now or on the way for most of these chips. The delivery of these patches is in the hands of hardware vendors.

There is, of course, also the possibility of more security holes being found in these chips. That's why some vendors are walking away from Intel ME.

First, the well-respected Linux PC maker System76 announced it was releasing an open-source program to "automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system." This program will "automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops."

This program will only work on laptops running Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware.

System76 is also working on a shell command tool, which will upload this firmware to other laptops running other versions of Linux. System76 desktops customers will receive updated firmware, which fixes the known security bugs but doesn't ME.

Earlier, Purism announced it would disable ME on its laptops running the open-source coreboot chip firmware. This was not a trivial task. Purism's developers had to jump through multiple hoops to knock out ME without stopping Wi-Fi at the same time.

Dell, in the meantime, is working on both delivering patched Intel ME firmware for its computers and offering three business devices with ME made inoperable. These include the Latitude 14 Rugged laptop, Latitude 15 E5570 laptop, and Latitude 12 Rugged tablet. To get one without ME, you must order them configured with an "Intel vPro - ME Inoperable, Custom Order" option. This will cost you an additional $20.92.

Intel does not recommend these options. In a statement, an Intel spokesperson said, "The ME provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management. Since the described configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations."

Is it worth it? Well, if I was concerned about security, I wouldn't want my hardware running a set of black box programs on a mystery operating system that's operated beneath any level of local control. But, hey, that's just me. That said, since Intel won't support these configurations, your company may not want to chance using them.

The ideal solution would be for Intel to open-source its programs and its customized Minix so sysadmins could know exactly what it is that's running on their PCs, tablets, and servers. I don't think that's too much to ask for.

Failing that, Intel should give vendors and customers an easy option to disable these chip-level programs.

UPDATED: With Intel comments.

Related stories:

Editorial standards