Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys


Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and



Intel ME JTAG PoC for INTEL-SA-00086

Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version[…]



Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]


PT Security: new Intel ME research


Click to access Intel%20ME%20Security%20keys%20Genealogy%2C%20Obfuscation%20and%20other%20Magic.pdf

PTSecurity: how to run code in Intel ME

Thursday, January 18, 2018
How to hack a disabled computer or run code in Intel ME
At the recent Black Hat Europe conference, Positive Technologies researchers Mark Ermolov and Maxim Goryachy spoke about the vulnerability in Intel Management Engine 11 , which opens up access to most of the data and processes on the device. This level of access also means that any attacker exploiting this vulnerability, bypassing traditional software-based protection, will be able to conduct attacks even when the computer is turned off. Today we publish in our blog the details of the study.[…]




Tanenbaum responds to Intel about Minix-based ME

Intel ME running Minix is in the news again…

An Open Letter to Intel

[…]I knew that Intel had some potential interest in MINIX 3 several years ago when one of your engineering teams contacted me about some secret internal project and asked a large number of technical questions about MINIX 3, which I was happy to answer. I got another clue when your engineers began asking me to make a number of changes to MINIX 3, for example, making the memory footprint smaller and adding #ifdefs around pieces of code so they could be statically disabled by setting flags in the main configuration file.[…]

Yours truly,
Andrew S. Tanenbaum





Where there’s a JTAG, there’s a way: obtaining full system access via USB

Maxim Goryachy and Mark Ermolov
Everyone makes mistakes. These words are certainly true for developers involved in low-level coding, where such common tools as print debugging and software debuggers run into limits. To solve this problem, hardware developers use in-circuit emulators or, if available on the target platform, the JTAG debugging interface (IEEE1149.1 [1]). Such debugging mechanisms first appeared in the 1980s [2]. Over time, microchip vendors extended the functionality of these interfaces. This allowed developers to obtain detailed information on power consumption, find bottlenecks in high-performance algorithms, and perform many other useful tasks. Hardware debugging tools are also of interest to security researchers. These tools grant low-level system access and bypass important security protections, making it easier for researchers to study a platform’s behavior and undocumented features. Unsurprisingly, these abilities have attracted the attention of intelligence services as well.[…]

Click to access Where-theres-a-JTAG-theres-a-way.pdf


ME_Cleaner updated to set HAP bit

UNTESTED: Set the HAP bit:
Positive Technologies discovered the presence of an undocumented HAP bit in the PCHSTRP0 field of the descriptor which, when set to 1, disables completely Intel ME just after the initialization. This is confirmed both by an analysis of the status of Intel ME after the setting of the bit and by reverse engineering the BUP module.





PTSecurity on Intel ME

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.[…]




PTSecurity on Disabling Intel Management Engine

N3mes1s points out an article from Maxim Goryachy and Mark Ermolov of PTSecurity, on disabling the Intel Management Engine (ME).


Click to access How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf