Intel’s Management Engine is a security hazard, and users need a way to disable it

Intel’s CPUs have another Intel inside.

Since 2008, most of Intel’s CPUs have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

This post will describe the nature of the vulnerabilities (thanks to Matthew Garrett for documenting them well), and the potential for similar bugs in the future. EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our CPUs, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

What is AMT? How is it vulnerable?

On many Intel chips, the Management Engine is shipped with the AMT module installed. It is intended to allow system administrators to remotely control the machines used by an organization and its employees. A vulnerability announced on May 1 allows an attacker to bypass password authentication for this remote management module, meaning that in many situations remote attackers can acquire the same capabilities as an organization’s IT team, if active management was enabl