Intel management engine, explained: the tiny computer inside your cpu

The Hãng Intel Management Engine has been included on Hãng sản xuất Intel chipsets since 2008. It’s basically a tiny computer-within-a-computer, with full access to lớn your PC’s memory, display, network, & input đầu vào devices. It runs code written by Intel, & Hãng sản xuất Intel hasn’t shared a lot of information about its inner workings.

Bạn đang xem: Intel management engine, explained: the tiny computer inside your cpu

This software, also called Hãng sản xuất Intel ME, has popped up in the news because of security holes Hãng sản xuất Intel announced on November trăng tròn, 2017. You should patch your system if it’s vulnerable. This software’s deep system access và presence on every modern system with an Hãng sản xuất Intel processor means it’s a juicy target for attackers.


What Is Hãng Intel ME?

So what is the Hãng sản xuất Intel Management Engine, anyway? Hãng sản xuất Intel provides some general information, but they avoid explaining most of the specific tasks the Hãng sản xuất Intel Management Engine performs & precisely how it works.

As Intel puts it, the Management Engine is “a small, low-power computer subsystem”. It “performs various tasks while the system is in sleep, during the boot process, và when your system is running”.

In other words, this is a parallel operating system running on an isolated chip, but with access lớn your PC’s hardware. It runs when your computer is asleep, while it’s booting up, & while your operating system is running. It has full access lớn your system hardware, including your system memory, the contents of your display, keyboard input, và even the network.

We now know that the Hãng sản xuất Intel Management Engine runs a MINIX operating system. Beyond that, the precise software that runs inside the Hãng Intel Management Engine is unknown. It’s a little blaông chồng box, and only Hãng Intel knows exactly what’s inside.

What Is Intel Active Management Technology (AMT)?

Aside from various low-màn chơi functions, the Intel Management Engine includes Intel Active sầu Management Technology. AMT is a remote management solution for servers, desktops, laptops, and tablets with Hãng sản xuất Intel processors. It’s intended for large organizations, not trang chính users. It’s not enabled by mặc định, so it isn’t really a “backdoor”, as some people have called it.

AMT can be used to lớn remotely power on, configure, control, or wipe computers with Hãng sản xuất Intel processors. Unlike typical management solutions, this works even if the computer isn’t running an operating system. Hãng Intel AMT runs as part of the Hãng Intel Management Engine, so organizations can remotely manage systems without a working Windows operating system.

In May 2017, Intel announced a remote exploit in AMT that would allow attackers to access AMT on a computer without providing the necessary password. However, this would only affect people that went out of their way lớn enable Intel AMT—which, again, isn’t most trang chính users. Only organizations who used AMT needed khổng lồ worry about this problem và update their computers’ firmware.

This feature is just for PCs. While modern Macs with Intel CPUs vì chưng also have the Intel ME, they do not include Intel AMT.

Can You Disable It?

*

You can’t disable the Intel ME. Even if you disable Hãng sản xuất Intel AMT features in your system’s BIOS, the Intel ME coprocessor và software is still active sầu và running. At this point, it’s included on all systems with Hãng Intel CPUs and Hãng sản xuất Intel provides no way to lớn disable it.

Xem thêm: Làm Tối Màn Hình - 10 Cách Điều Chỉnh Độ Sáng Màn Hình Windows 10

While Intel provides no way khổng lồ disable the Hãng sản xuất Intel ME, other people have sầu experimented with disabling it. It isn’t as simple as flicking a switch, though. Enterprising hackers have managed to disable the Hãng Intel ME with quite some effort, and Purism now offers laptops (based on older Hãng Intel hardware) with the Intel Management Engine disabled by default. Intel likely isn’t happy about these efforts, và will make it even more difficult khổng lồ disable the Hãng sản xuất Intel ME in the future.

But, for the average user, disabling the Hãng Intel ME is basically impossible—& that’s by design.

Why the Secrecy?

Hãng Intel doesn’t want its competitors lớn know the exact workings of the Management Engine software. Hãng sản xuất Intel also seems to be embracing “security by obscurity” here, attempting to lớn make it more difficult for attackers lớn learn about và find holes in the Intel ME software. However, as the recent security holes have sầu shown, security by obscurity is no guaranteed solution.

This isn’t any sort of spying or monitoring software—unless an organization has enabled AMT and is using it khổng lồ monitor their own PCs. If Intel’s Management Engine was contacting the network in other situations, we’d likely have heard of it thanks lớn tools lượt thích Wireshark, which allow people lớn monitor traffic on a network.

However, the presence of software like Hãng Intel ME that can’t be disabled and is closed source is certainly a security concern. It’s another avenue for attachồng, and we’ve sầu already seen security holes in Hãng Intel ME.

Is Your Computer’s Intel ME Vulnerable?

On November trăng tròn, 2017, Hãng Intel announced serious security holes in Hãng sản xuất Intel ME that had been discovered by third-các buổi party security researchers. These include both flaws that would allow an attacker with local access to run code with full system access, và remote attacks that would allow attackers with remote access to run code with full system access. It’s unclear just how hard they would be lớn exploit.

Hãng sản xuất Intel offers a detection tool you can download and run to lớn find out if your computer’s Hãng sản xuất Intel ME is vulnerable, or whether it’s been fixed.

To use the tool, tải về the ZIPhường file for Windows, open it, & double-cliông chồng the “DiscoveryTool.GUI” thư mục. Double-cliông xã the “Intel-SA-00086-GUI.exe” file to run it. Agree to lớn the UAC prompt and you’ll be told whether your PC is vulnerable or not.

*

RELATED: What Is UEFI, & How Is It Different from BIOS?

If your PC is vulnerable, you can only update the Hãng Intel ME by updating your computer’s UEFI firmware. Your computer’s manufacturer has to provide you with this update, so kiểm tra the Support section of your manufacturer’s trang web to see if there are any UEFI or BIOS updates available.

Intel also provides a support page with liên kết khổng lồ information about updates provided by different PC manufacturers, và they’re keeping it updated as manufacturers release support information.

Xem thêm: Tiểu Sử Hòa Minzy Sinh Năm Bao Nhiêu, Hòa Minzy Ngầm Thừa Nhận Đã Sinh Con Trai

*

AMD systems have sầu something similar named AMD TrustZone, which runs on a dedicated ARM processor.


Chuyên mục: Hỏi đáp công nghệ