Some hardware vendors are reacting to the recent revelation that some of Intel’s core CPU technology is riddled with security holes.
At the time of writing, three laptop and computer vendors have started offering a way to buy products without Intel ME (Management Engine), or have said they’ll deliver firmware updates that disable the technology.
Intel Management Engine is a technology that is often described as a secret operating system inside the main Intel CPU. The ME component runs independently from the user’s main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components. An attacker that exploits a flaw and gains control over the Intel ME has untethered control over the entire computer. In November, Intel issued a security alert for several flaws affecting ME and other core Intel CPU technologies.
The first company to announce a decision on Intel ME was Purism, a company that describes itself as a freedom-respecting computer manufacturer.
What’s surprising is that Purism took this step in October, almost a month before Intel published its security advisory about the Intel ME flaws.
It appears that the company took this decision just because someone else found a way to disable Intel ME and Purism decided to use it and improve its customers’ privacy.
“Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it,” the company explained in a blog post. “The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default.”
The second company that took a similar step was System76, a seller of custom Linux PC rigs. In a blog post this week, the company explains its decision and puts forward the following rollout plan.
System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable.
The roll out will occur over time and customers will be notified by email prior to delivery
You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*
System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.
System76 will not disable the ME on desktops but will provide updated ME firmware
Desktop customers will receive instructions for updating the ME via email as they are available
Last but not least, a Reddit user also noticed this week that Dell modified its online store to allow customers to buy Intel-powered computers without Intel’s Management Engine.
Buy options on Dell online store
It is unclear when this option was added, or if Dell took this decision after Intel notified the company of the ME flaws. Nonetheless, the change is welcomed, mainly because ME is a technology meant for enterprise environments, and has no place on personal-use computers.
Dell is just one of the many hardware vendors that have admitted they sell products affected by the Intel ME bugs. Other vendors are Acer, Fujitsu, HP, Lenovo, and Panasonic. All promised firmware updates that will fix the reported security bugs, albeit not all have delivered on their promise just yet.
December 3, 2017