​Computer vendors start disabling Intel Management Engine

More security news
NSA employee pleads guilty after stolen classified data landed in Russian hands
Security warning: Don’t use Russian antivirus on secret government systems, says cyber-agency
Security: Making yourself a hard target for hackers is easier than you think
Forgotten password? Samsung’s future phones could retrieve it using your palm
Video: AMD and Intel – Frenemies aligned vs Nvidia
Hidden inside your Intel-based computer is a mystery program called Management Engine (ME). It, along with Trusted Execution Engine (TXE) and Server Platform Services (SPS), can be used to remotely manage your computer. We know little about Intel ME, except it’s based on the Minix operating system and, oh yes, ME is very insecure. Because of this, three computers vendors — Linux-specific OEMs System76 and Purism and top-tier PC builder Dell — have decided to offer computers with disabled ME.
These ME security holes impact millions of computers. ME supports Intel’s Active Management Technology (AMT). This is a powerful tool that allows admins to remotely run computers, even when the device is not booted. Let me repeat that: If your PC has power, even if it’s not running, it can be attacked. If an attacker successfully exploits these holes, the attacker can run malware that’s totally invisible to the operating system.
Most, but not all, of ME’s vulnerabilities require physical access for someone to exploit. Another would valid requite administrative credential for remote exploitation. Still, it’s worrisome.
智能穿戴设备的安全议题探讨及建议
Intel has released a detection tool so Linux and Windows users can detect if their machine is vulnerable. The company also has a page that provides links to support pages from each vendor, as they confirm vulnerable machines.
Intel has admitted that the following CPUs are vulnerable:6th, 7th, and 8th generation Intel Core Processor FamilyIntel Xeon Processor E3-1200 v5 and v6 Product FamilyIntel Xeon Processor Scalable FamilyIntel Xeon Processor W FamilyIntel Atom C3000 Processor FamilyApollo Lake Intel Atom Processor E3900 seriesApollo Lake Intel Pentium ProcessorsIntel Celeron G, N, and J series ProcessorsThere are firmware patches either available now or on the way for most of these chips. The delivery of these patches is in the hands of hardware vendors.
There is, of course, also the possibility of more security holes being found in these chips. That’s why some vendors are walking away from Intel ME.
First, the well-respected Linux PC maker System76 announced it was releasing an open-source program to “automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system.” This program will “automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops.”
This program will only work on laptops running Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware.
System76 is also working on a shell command tool, which will upload this firmware to other laptops running other versions of Linux. System76 desktops customers will receive updated firmware, which fixes the known security bugs but doesn’t ME.
Earlier, Purism announced it would disable ME on its laptops running the open-source coreboot chip firmware. This was not a trivial task. Purism’s developers had to jump through multiple hoops to knock out ME without stopping Wi-Fi at the same time.
Dell, in the meantime, is working on both delivering patched Intel ME firmware for its computers and offering three business devices with ME made inoperable. These include the Latitude 14 Rugged laptop, Latitude 15 E5570 laptop, and Latitude 12 Rugged tablet. To get one without ME, you must order them configured with an “Intel vPro – ME Inoperable, Custom Order” option. This will cost you an additional $20.92.
Intel does not recommend these options. In a statement, an Intel spokesperson said, “The ME provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management. Since the described configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.”
Is it worth it? Well, if I was concerned about security, I wouldn’t want my hardware running a set of black box programs on a mystery operating system that’s operated beneath any level of local control. But, hey, that’s just me. That said, since Intel won’t support these configurations, your company may not want to chance using them.
The ideal solution would be for Intel to open-source its programs and its customized Minix so sysadmins could know exactly what it is that’s running on their PCs, tablets, and servers. I don’t think that’s too much to ask for.
Failing that, Intel should give vendors and customers an easy option to disable these chip-level programs.
远程接入用户大量采用双因素身份验证,终端量大,终端安全工作繁重,而且难免有漏网之鱼,而使用VPN接入的往往都是处理关键的核心业务,终端被攻击,VPN仅信赖帐户和密码认证显然不够充分,应该考虑搭配多因子身份验证措施。

UPDATED: With Intel comments.Related stories:Intel ME bug storm: Is your machine among 100s just named by Acer, Dell, HP, Lenovo?Intel: We’ve found severe bugs in secretive Management Engine, affecting millionsMINIX: Intel’s hidden in-chip operating system
Related Topics:
Dell
Security TV
Data Management
公司应该加强信息系统病毒防护工作,集中进行防病毒产品的选型测试和部署实施,及时更新防病毒软件和病毒代码,发现病毒或异常情况及时处理。

猜您喜欢

澳门银座分分彩计划:日本木县雪崩事故原因查明:组织者危机管理欠缺
金融保险行业信息安全意识视频培训
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
4日视频直播火箭vs湖人 保罗给球哥好好上一课?
MTNLMUMBAI DELANTICUARIO
防范军事间谍活动