We struggle with remote control: how to disable Intel ME

Intel ME ME (or AMT, Active Management Technology) is one of the most mysterious and powerful elements of modern x86 platforms. The tool was originally created as a solution for remote administration. However, it has such powerful functionality and is so uncontrollable to users of Intel-based devices that many of them would like to disable this technology, which is not so easy to do.

At the last Positive Hack Days VI forum in Moscow on May 17 and 18, Positive Technologies researchers Maxim Goryachiy and Mark Yermolov presented several techniques for turning off Intel ME, accompanied by a video demonstration of the process.
')

What is it and why it is necessary to disconnect

The Intel Management Engine (ME) subsystem is an additional “hidden” processor that is present in all devices based on Intel chipsets (not only in PCs and laptops, but also in servers). The ME execution environment never “sleeps” and works even when the computer is turned off (when voltage is available), and also has access to the RAM, network interface, USB controller and integrated graphics adapter.

Despite such extensive opportunities, there are questions to the level of ME security - previously, researchers have already found serious vulnerabilities and attack vectors. In addition, the subsystem contains potentially dangerous functions - remote control, NFC, hidden service partition (hidden service partition). The interfaces of the ME subsystem are not documented, and the implementation is closed.

All these reasons lead many to consider ME technology as a “hardware bookmark.” The situation is aggravated by the fact that, on the one hand, the user of the device does not have the ability to disable this functionality, and on the other hand, the equipment manufacturer may make mistakes in the configuration of the ME.

The good news is that there are still ways to disable ME.

Intel ME Shutdown Techniques

Positive Technologies researchers, Maxim Goryachiy and Mark Yermolov, at the Positive Hack Days VI forum in Moscow, presented a report on disabling Intel ME. Experts have described several techniques for turning off this subsystem:

1. ME based on failed initialization;
2. Through the ME firmware update mechanism;
3. Undocumented commands
4. An undocumented mechanism designed for hardware developers - Manufacture Mode.

The researchers found that the developers of hardware platforms often forget to turn off the Manufacture Mode, which allows the latter method to be used on a large number of computers at no additional cost in "real time" mode.

Most shutdown methods use built-in ME mechanisms designed for device vendors on the Intel platform. All of them are described in detail in the presentation, which is published on GitHub . The link is a demo video of ME (it is below):



Nevertheless, a reasonable question arises: “Does the ME stop working in full when using its built-in shutdown mechanisms?” As proof of the fact of turning off the ME, the researchers give the following argument: ME works in two memory usage modes: only SRAM (embedded in ME) and SRAM + UMA. UMA is the part of the host memory that is used as swappable memory. After the DRAM controller is initialized by the ME host, it always switches to SRAM + UMA mode.

Thus, if the ME is really turned off, then when the ME access to the UMA memory is disconnected at an arbitrary moment (via the Vm channel), hardware failures due to the absence of data and code that were pushed out to the UMA memory will not occur in the ME (such hardware failures lead to emergency power off from the main hardware components of the platform). On the other hand, the use of these methods allows DoS-attacks on AMT technology in the case of its use for remote control.

The video of the report is published on the PHDays website - you need to find in the list a performance entitled “How to Become the PC Owner.”