- Jul 22, 2014
- 2,525
Positive Technologies (PT), a Russian security company that has discovered multiple bugs in Intel’s Management Engine (ME) over the last couple of years, this week revealed more details about Intel’s “Manufacturing Mode” for ME, saying it can expose users to remote hacking. This is the second undocumented mode in Intel ME that PT has found in recent years.
Intel ME Manufacturing Mode
According to PT, Intel’s Manufacturing Mode in its processors is intended for configuration and testing of chips during manufacturing. The mode is expected to be disabled before shipping the for the same reason software's debugging mode is disabled before shipping: you don’t want hackers to gain easy access to it.
However, PT said that if the Manufacturing Mode in Intel ME is not disabled in the final product, average customers are not able to disable it because they wouldn't know about it naturally (since it's undocumented) and because the tools that can do that are not officially available. Because of that, no current software, including Chipsec, which can normally tell you about processor configuration errors at the UEFI firmware level, can see whether or not the Manufacturing Mode is disabled.
What Does Manufacturing Mode Do?
Manufacturing Mode allows for the configuration of critical platform settings, such as those for BootGuard, a technology available with Intel’s chips that can verify the boot process. These settings are stored in one-time-programmable memory (FUSEs), and some of them are called Field Programmable Fuses (FPFs).
...
...
...
Intel ME Manufacturing Mode
According to PT, Intel’s Manufacturing Mode in its processors is intended for configuration and testing of chips during manufacturing. The mode is expected to be disabled before shipping the for the same reason software's debugging mode is disabled before shipping: you don’t want hackers to gain easy access to it.
However, PT said that if the Manufacturing Mode in Intel ME is not disabled in the final product, average customers are not able to disable it because they wouldn't know about it naturally (since it's undocumented) and because the tools that can do that are not officially available. Because of that, no current software, including Chipsec, which can normally tell you about processor configuration errors at the UEFI firmware level, can see whether or not the Manufacturing Mode is disabled.
What Does Manufacturing Mode Do?
Manufacturing Mode allows for the configuration of critical platform settings, such as those for BootGuard, a technology available with Intel’s chips that can verify the boot process. These settings are stored in one-time-programmable memory (FUSEs), and some of them are called Field Programmable Fuses (FPFs).
...
...
...