Researchers Discover Kill Switch for Intel ME

Back in May, we reported the worrying discovery that a technology exclusive to Intel CPUs leaves processors open to remote rootkit attack. In fact, the original story dates back over a year. The problem is with Intel’s Management Engine (ME) technology, which allows administrators remote access key PC functions. Notably, every Intel processor released since 2008 features ME. Thankfully, though, researchers found a method of partially disabling Intel ME.

The Problem with Intel ME

Intel ME allows remote access to a PC’s operating system, hard drive, boot state, and power state. It can even bypass some system encryptions. However, SemiAccurate’s Charlie Demerjian reported in May:

“The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked […] read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.”

Though Intel did issue security patches to protect ME, it did not remove the technology.

Intel ME Kill Switch

While ME remains present in Intel processors, it remains a potential point of vulnerability. However, researchers from Moscow-based Positive Technologies found a way to close this particular backdoor, at least partially. An unofficial workaround, dubbed ME Cleaner, disables much of ME’s capabilities, without removing the technology entirely. It works by setting the undocumented HAP bit to 1 in a configuration file. ME Cleaner is available on Github.