Is the Intel Management Engine a backdoor?
Is Intel's Management Engine a backdoor for security groups
and hackers, or just a feature created to aid businesses?
Jack Wallen dives in and draws his conclusions.
By Jack Wallen | July 1, 2016, 7:09 AM PST
This laptop sticker is a take on the Intel logo.
Image: Hacker Stickers
Various sources report that Intel's latest x86 chips contain
a secret backdoor. SoftPedia cites security expert Damien
Zammit as revealing that these Intel chips come with an
embedded subsystem called the Management Engine (ME) that
functions as a separate CPU and cannot be disabled, and the
code is proprietary.
According to Intel, the ME is in place so enterprise
businesses can manage computers remotely via Active
Management Technology (AMT). AMT runs completely isolated
from any operating system installed on the PC.
It gets creepier.
According to Zammit, the ME:
has full access to memory (without the parent CPU having
has full access to the TCP/IP stack;
can send and receive network packets, even if the OS is
protected by a firewall;
is signed with an RSA 2048 key that cannot be
cannot be disabled on newer Intel Core2 CPUs.
More about IT Security
Essential reading for IT leaders: 10 books on
cybersecurity (free PDF)
The top 10 worst ransomware attacks of 2017, so far
8 steps to take within 48 hours of a data breach
IT leader's guide to the threat of cyberwarfare (Tech
Also, he says the health of the ME firmware cannot be
audited, and no one outside of Intel has seen the code for
Talk like this has been going around for a while. Back in
2014, Igor Skochinsky gave a presentation titled Intel ME
Secrets. In this presentation, Skochinsky staked the
the ME is a dedicated microcontroller on all recent
the first versions were included in the network card and
later moved into the chipset;
it shares flash with the BIOS but are completely
independent of the CPU;
it can be active when the system is hibernating or even
turned off; and
it has a dedicated connection to the network interface.
The fact that the ME can enable businesses to access
computers remotely (for free) is a useful service. But is
the ME a one-trick pony? Is that purpose only used by
businesses to access a desktop or server remotely?
SEE: Photos: 50 years of Intel innovations
My concerns about the claims
Although I do not doubt the validity of Skochinsky's claims,
I do question some of the claims that have been inspired by
his research, such as Starrynews calling for everyone to
immediately stop using Intel motherboards.
One claim that a lot of people are hitching their conspiracy
theories on is that the ME allows for access to a computer
even when the the computer is powered off. Let's consider
this: Even if the ME firmware would allow someone entry to a
machine via an isolated TCP stack, what kind of information
could an intruder obtain if that machine is powered down?
Say, for instance, said machine used standard hard drives
(not Solid State Drives); how could anyone gain access to a
platter-based drive when the drive has no power to spin? And
because the ME is hardwired into the firmware, there's no
way to install anything or save instructions. For that
reason, gaining entry to a system would only give the
intruder access to what has been stored on RAM. But since
RAM is volatile memory, chances are, there'll be nothing
there. The biggest concern for this would be linked to a
However, the ME contains the AMT instructions, which can
function similarly to wake-on-LAN. That means if the right
person used the ME to gain access to a machine, they could
then take advantage of AMT and boot the machine. Viola! Your
PC is now readily available for someone with the requisite
skills to pick and choose what they want--this could include
Good ol' BIOS
AMT is a feature of Intel vPro technology. On supporting
chipsets--Intel Centrino with vPro or Intel Core2 with
vPro--you can access AMT settings through the BIOS. The
caveat is you must know the default password to get into the
AMT settings. In most cases, that password will be admin;
you'll have to consult the manufacturer to find out if that
is the password. After successfully entering the AMT
settings on your BIOS, you can configure AMT to your liking
(find out more in this Radmin Knowledge Base piece).
The good news is that you can disable the AMT feature.
In the PC BIOS, go to Advance Chipset Feature | Intel
During boot, CTRL+P to go to AMT Menu | Intel ME Control
There is no way to know if the ME has the ability to
re-enable AMT on its own. Why? Because no one except Intel
knows what exactly it contains. So, you could disable ATM on
the machine and not know if the ME can circumvent that BIOS
The only secure computer is...
The only truly secure computer is the disconnected one. I
have made this claim for years, and I stand by it.
No matter what operating system you are using, and no matter
how good your admin skills are, if a computer is connected
to the internet, it is not secure. It used to be that you
could argue powering down the computer would supercede the
need for disconnecting a machine from the internet. Now with
the Intel ME on board, I can't be so sure of that.
Is this a backdoor?
I tend to lean toward the paranoid, though on a professional
level, I don't believe that Intel created the ME with
malicious intent. Intel could have created the ME with the
NSA in mind, but I don't necessarily follow that conspiracy.
Even so, the question is still very relevant and deserves an
Is the Intel ME a backdoor? Yes, of course it is. By its
very definition (from Wikipedia):
A backdoor is a method, often secret, of bypassing
normal authentication in a product, computer system,
cryptosystem or algorithm etc. Backdoors are often used for
securing unauthorized remote access to a computer, or
obtaining access to plaintext in cryptographic systems.
Intel's statement about ME
When asked about the possibility of the ME being a backdoor,
Intel CTO Steve Grobman wrote on the Intel Security blog:
"First, we want to be very clear. Intel takes the
integrity of its products very seriously. Intel does not put
back doors in its products nor do our products give Intel
control or access to computing systems without the explicit
permission of the end user. In short, Intel does not
participate in efforts to decrease security in technology."
And expanded on the issue with:
"The design of Intel ME incorporates established
industry standards and security best-practices, and delivers
tremendous advantages to a variety of computing
environments. For example, Intel applies what is called the
"least privilege" principle, where users and administrators
only have the rights to get their job done. We apply this
principle into the design of our processors so each
component has the minimum - yet sufficient - privileges it
needs to perform a given task, mitigating the chances that
attackers could use privileges to access areas they
However, as we are all painfully aware, today's threat
landscape produces countless security challenges every year,
targeting systems in a variety of areas. Should an issue
arise after a product has shipped, Intel has architected its
products with the ability to receive security firmware
updates that can counter these issues in the field, allowing
for more rapid responses to new exploits and threats."
Although I am inclined to believe Intel, I know there will
be a very vocal group that insists Intel will never refute
the claims of a possible back door in the ME until the code
can be vetted.
Posted on RetroBBS II
Thanks for sharing. Not a big surprise, big corporations spying on you (or giving the infrastructure to the three letter agencies).
What to do about it, I wonder ? Not use Intel anymore ?
Posted on def.i2p
Yes! I've been watching hardware corruption since 94. All Intel 32 and 64 bits have back doors.
You can mitigate some things under some circumstances. You CAN'T mitigate RF beacon feature which you need physical presence to activate. It is used in Drone Strikes. Hope you are not on the list!
Posted on def.i2p
Almost forgot! There is also "corporate" hardware corruption.
Apple will commit suicide! Even when you select in the beginning "This computer does not connect to the Internet" you can see they try with a spectrum analyzer. Had a few burn on me!
For Chrome OS and Android we would take bets on how long Google would try to connect if removed. Between 14-68 seconds! The good news is that they do not commit suicide!
The consumer hardware corruption is worst than ever. Corruption breeds mediocrity and eventually things start falling apart.
I'm not aware of hardware corruption in the medical machines and 70 percent of industrial machines are clean.
I'm not directly familiar with military or spy crap but the word around the campfire is 60 percent clean... Of course nukes are on 1992 hardware which is clean! The Japs are recycling pre 2000 hardware like crazy...
etc..etc..etc Posted on def.i2p