Intel Management Engine (ME) - Is it a Qubes risk?

I’ve seen quite a bit on the IME, but since it is not possible to update IME on anything other than a Windows OS is it a functioning security risk to Qubes, or any Linux-based system?

What do you mean by “functioning security risk” @quantum ?

Do you mean a risk that Qubes OS will stop functioning? If so, that risk is in all likeliness negligible.

If you mean a risk to the security of your OS, then the risk depends on your threat model (what do you need to protect, from whom, what are the consequences if you fail…), so only you can accurately evaluate it.

That being said, if you want to share some of that threat model, then folks might be able to help you with the evaluation.

Even with full knowledge of someone’s threat model, if one is ignorant of what IME does and what kind of backdoor it has, you still can’t evaluate this.

I may be wrong but I get the impression that @quantum was missing that knowledge. “What can IME do”, not “does what IME do constitute a problem for me?”

1 Like

By “functioning” I mean that it is clearly setup for a Windows-only OS. And since Linux is excluded from performing any IME updates does that mean it is not functioning much, if at all, in a Linux environment?

I’ve seen lots of speculation, but nothing definitive for Linux. Does such information exist?

There is supposed to be a hidden udp port allocated that your system will not even see arrive at your network card. I don’t remember what port that is off the top of my head but sending a network packet to that port will not be seen by tcpdump but will instead be handled by the IME engine if its there.

If you want to be sure, at least as much as you can with any enigma, the try fuzzing that port from an external source. Throw anything and everything at that port and if nothing happens (e.g system crash) then it’s not likely to be a vulnerability. If the kitchen sink does not cause any issues then I would not loose any sleep over it.

To mitigate flashing an open source bios is a good first step and for some systems there are ways to lobotomize IME by deactivating portions of it. But beware, you run a chance of bricking you system. The same code that supports IME is also responsible for initialization of your hardware, flashing your bios, and starting the bootstrap process, so playing with this internal code is extremely dangerous and even the most elite software engineers/security professionals have totally failed to find a way to completely remove IME. It’s essentially a Minix kernel running beneath your hardware system and is very complex.

I figured “functioning security risk” to mean, will it still provide a back door to Linux/Qubes. Sadly, I believe the answer is yes. As @slcoleman said, it’s a separate CPU running it’s own operating system with both network access and hardware-level access to your main system, and can’t be removed without bricking the system. It will continue to perform its tasks regardless of what operating system or bios you install.
The only difference between Windows and Linux, as far as it’s concerned, is that Windows has a driver to trigger IME actions locally.

One other relevant distinction is that Intel requires additional money for licensing before any of the IME features are enabled. This of course doesn’t mean that an adversary could not find a way to enable it for you, but that as far as I know this has never been seen in the wild. I have not actually heard on any three letter agency being able to tap into such a vulnerability, but if there is one, then fuzzing that port is the one way to find it and has never been reported by any security researcher. This would be all over the news if one were found. Otherwise physical access would likely be required, but if someone gains physical access then IME is the least of your concerns.

Thank you slcoleman & aholden for your quick responses!

I didn’t know about the hidden udp port(s) and need to dig into that some more. That is a concern.

On the plus side (?), cost cutting at every level has pushed some of us to purchase our own surveillance devices, e.g., Amazon Alexa, Apple Siri, etc., so maybe we’ll luck out with freeware like Linux.

yes, it’s closed source, could be used as backdoor to your OS

that is dependent on your threat model