Linked by Thom Holwerda on Tue 10th Oct 2017 23:45 UTC
Intel

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2, independently of the BIOS, main CPU and platform operating system - a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).

In this mini-guide, I'll run through the process of disabling the IME on your target PC.

Apparently, the IME co-processor runs... MINIX 3. That is incredibly fascinating. This means every post-2006 Intel PC runs MINIX.

Thread beginning with comment 649748
To read all comments associated with this story, please click here.
Interesting process but ...
by shotsman on Wed 11th Oct 2017 05:25 UTC
shotsman
Member since:
2005-07-22

this is certainly not for everyone. I'm sure that if you follow the steps perfectly you may do it but TBH, it seem an awful lot more trouble than it is worth.
I suspect that only the most paranoid or who work for the various TLA's around the world will bother.

For the average punter? I don't see any compelling reason to do this (at the moment)

But... it was interesting to find out that it can be done.
Thanks Thom.

Reply Score: 3

Flatland_Spider Member since:
2006-09-01

IME is a security risk. The AMT/vPro security holes of the not too distant past illustrate the problem of this technology, and without a compelling reason to keep it around (ie. corporate setting which uses it for remote administration and provisioning of desktops), it should get nuked.

References:
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-int...
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-000...
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Sec...

Edited 2017-10-11 17:23 UTC

Reply Parent Score: 3

RE: Interesting process but ...
by CaptainN- on Thu 12th Oct 2017 18:12 in reply to "Interesting process but ..."
CaptainN- Member since:
2005-07-07

Wow, this FAQ page makes a strong case for Apple (and maybe others) to ditch x86 quickly https://libreboot.org/faq.html#amd

From the FAQ:
"it is our opinion that all performant x86 hardware newer than the AMD Family 15h CPUs (on AMD’s side) or anything post-2009 on Intel’s side is defective by design and cannot safely be used to store, transmit, or process sensitive data. Sensitive data is any data in which a data breach would cause significant economic harm to the entity which created or was responsible for storing said data, so this would include banks, credit card companies, or retailers (customer account records), in addition to the “usual” engineering and software development firms. This also affects whistleblowers, or anyone who needs actual privacy and security."

Apple is really the only larger player that has not only vocally supported privacy, but also actually done some things about it. A switch away from x86 to ARM could allow them to engineer their CPUs without these problems. Of course, I wonder whether they would...

Reply Parent Score: 1