This ISSUE: Intel engine trouble
Canonical floats
SUSE’s number’s up
MP3 freed!
Hardware
Intel’s vulnerability engine plugged A seven-year-old vulnerability found in Intel’s Management Engine, and millions of Intel chips could be affected. Is free and open hardware the answer?
S
ince 2010 millions of Intel chips have been sold with a security flaw in their active management technology (AMT), standard manageability (ISM) and small business technology (SBT) firmware, which could enable malicious users to gain remote control of the AMT features, potentially providing a backdoor to millions of PCs around the world. The security vulnerability is part of Intel’s VPro features, which works in tandem with AMT, and potentially gives unauthorised access to users who can then gain direct access to a PC’s network hardware. Crucially, this vulnerability affects the management engine, which is essentially a separate computer within your computer that’s used to verify and supervise the main PC. With that compromised, attackers could install and launch malware that’s very difficult to detect and remove. While many consumer PCs that run Intel hardware won’t usually have AMT enabled by default, you should still check to see if your system is vulnerable. Intel has released a guide that can help you find out at https://downloadcenter.intel.com/ download/26755. An Intel spokesperson told The Register that “Consumer PCs are not impacted by this vulnerability. We’re not aware of any exploitation of this vulnerability. We’ve implemented and validated a firmware update to address the problem, and we’re cooperating with manufacturers to make it available to end-users as soon as possible.”
6 LXF225 July 2017
As Boing Boing writer Cory Doctorow says in a scathing editorial, Intel’s ‘war on general purpose computing’ has put all of us at risk. This ‘war’ is due to the management engine being able to restrict various software and tools being run on PCs, creating a walled garden such as the one found on Apple’s iOS mobile operating system. By putting your PC under the protection of a secondary computer that’s difficult to access, control and update, you have to be sure that this secondary computer is totally flawless with zero vulnerabilities. Of course, many people feared that Intel’s ME system was never going to be completely safe, and with this newly found vulnerability, those fears have been realised. Because, once that secondary system has been
Intel’s insistence on a Management Engine has brought security vulnerabilities.
“Intel’s ‘war on general purpose computing’ has put all of us at risk.” compromised, you won’t know what it is doing, nor will you be able to stop it sending instructions to the main system. Annoyingly Intel has made it almost impossible to disable the ME. So what can be done to prevent this happening again? If one part of Intel’s management engine has been compromised, other parts may be vulnerable as well. Doctorow suggests Intel rectifies its mistakes by providing documentation for the software
www.linuxformat.com
modules that come preinstalled in MEs, allow customers to audit ME code to check for vulnerabilities, and offer an official way to disable the ME, or at least provide a minimal, communityauditable ME firmware image. Essentially, open up and allow customers access to the secondary computer that runs on their computers. Until that’s done, we advise disabling AMT and VPro, or ditching any Intel products that do not let them do so. Thankfully, open source hardware provides a secure alternative. Recently the SiFive U500 platform was released (www.sifive.com/documentation/ freedom-soc/freedom-u500platform-brief). This is a range of customisable RISC-V system on chips, and are now supported by the GNU GCC. By providing open-source architecture, RISC-V chips, such as those in the U500 family offer an alternative to proprietary chips provided by Intel, AMD and ARM, which means users are unlikely to find any hidden surprises – and if they do then the community can at least fix them.