Intel has incorporated a System on a Chip (SOC) known as the Intel Management Engine. The Intel Management Engine acts as a computer that sits on top of the microprocessor and is connected to the U.S. government’s High Assurance Platform (HAP) program, that has long been suspected as a key tool used by our government’s intelligence collection capabilities. I presented on this topic on April 28th, 2017 at the Illinois Institute of Technology’s Forensecure Conference and detailed my research findings that the Intel processor chip had a backdoor vulnerability. Days later, Intel reversed earlier denials about the security of their processor later admitting the vulnerability that allows for a remote attacker to take complete control over a device. They qualified that statement at the time to say it only impacted commercial platforms, however I don’t believe that is fully accurate.
Intel incorporated cellular technology on the processor to allow for slick “features” such as recovery of stolen devices, remote servicing of computers even if they are turned off, plus many other “features”. Unfortunately, this platform is now being exploited by rogue attackers.
Researchers with PT Security performed firmware level forensics and analysis and located the bit that can turn off the HAP features.
In order for someone to turn off this hidden subsystem that is vulnerable to attack, it is necessary to alter the kill bit to disable HAP. It is believed that the NSA pressed Intel to integrate such a function so that important national security platforms could have this side channel attack vector turned off. The HAP program appears to allow monitoring of computers cross platform and even includes embedded systems according to this published NSA Presentation.
PT Security found references in the chip stored firmware revealing the apparent kill bit. They had to use a SPI Chip Reader / Programmer in order to dump and examine the firmware stored on the Intel Chip in order to locate the following code.
<LayoutEntry name="reserve_hap" type="bitfield32" value="0x0" offset="0x0" bitfield_high="16" bitfield_low="16" /> <!-- High Assurance Platform (HAP) enable -->
After PT Security discovered this section of code in the dump firmware, they approached Intel about this finding to which Intel replied, “In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”
Unfortunately, reprogramming microchips on computer motherboards is beyond the scope of most IT Departments. Hopefully Intel will release software that enables businesses to turn off these “features” that are likely responsible for many data breaches occurring today to corporations.
More details on the recent disclosure can be found at http://www.csoonline.com/article/3220476/security/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html