Intel Processor Management Engine Could Be Susceptible To Undetectable Rootkit Attacks

It has been suggested that the microprocessors we use each and every day could pack in a bit more than we bargained for; namely, the tools needed for spying or undetectable access. And unfortunately, according to security researcher and developer Damien Zammit, there's a potential reason to be concerned over the "ME" or Management Engine module found in all Intel chipsets manufactured after the Core 2 era.

If you've built your own Intel-based PC in recent years, or have at least reinstalled the OS and needed to install all of the drivers on your own, you've probably noticed a piece of software called "Intel Management Engine". What this corresponds to is a feature in modern Intel chipsets that comes in the form of an actual processing engine nestled inside the overall chipset (you can see it listed in the Z170 diagram below). It's designed to be effectively invisible to the host PC, and be only accessible through Ethernet or via the internet. It is essentially an autonomous processor for system management. 

As its name suggests, Intel's ME is designed to let someone (or an organization) access and manage a PC without being at the PC. It affords the system something called Intel AMT (Active Management Technology) that gives the ME access to memory, and TCP/IP communication on any connected network, "bypassing any firewall," so the system can be remotely managed. That's a great feature, especially for enterprise admins but Zammit suggests that the ME's implementation is flawed, as we'd never be able to tell if its firmware has been compromised. While the ME chip is situated inside of the motherboard chipset, the system simply won't be able to directly interact with it. The suggestion he's making here is that, even if you had microcode to patch the ME chip's firmware (in the event of an exploit), it would be impossible for your computer to use it.

However, according to Zammit, the ME chip is a 32-bit ARC processor located behind a door locked with RSA 2048 encryption. That would mean that it should be impossible to get at the ME and modify it with custom firmware (eg: a rootkit or other malware), but as we've seen proven time and time again, encryption isn't always invincible. If there's a flaw or other vulnerability, it can eventually be found and exploited.

The threat is this: if someone somehow managed to break through Intel's ME protections and released a rootkit into the wild, every single Intel-based PC produced over the past handful of years would be considered vulnerable, and there'd be no way to protect ourselves from it. Remember, the ME chip is supposed to be as invisible to the main system as possible, so Intel may not be able to simply release a patch that could be applied to the ME firmware. Zammit alludes to the fact that researchers have been able to break into the ME and gain control, pointing to a YouTube video demonstrating it circa 2014. 

We should stress at this point that the Zammit's article makes a lot of assumptions that can't be easily verified. For one, if Intel has the ME's secrets locked away, who's to say they can't access or update it somehow? At this point we're hoping that Intel will be transparent and offer their insight on this report. We've reached out to Intel ourselves, and await a response.