In 2017, security researchers at Positive Technologies discovered something unexpected in Intel's firmware: a hidden "kill switch" labeled HAP - High Assurance Platform. Intel had built a way to disable most of the Management Engine. But they didn't build it for you. They built it for the NSA. [1]

The Intel Management Engine is a separate computer embedded in every Intel processor made since 2008. It has its own CPU, its own memory, and runs its own operating system. It boots before your computer's main CPU and keeps running even when your computer is "off." It has direct access to your system memory and, on many systems, direct access to your network. And until Positive Technologies reverse-engineered the firmware, no one outside Intel knew there was a way to disable it.

The question isn't whether the ME is a security risk. The question is why Intel built an unkillable system with god-mode access that only government agencies can turn off.

What Intel ME Actually Is

The Management Engine runs on a dedicated 32-bit ARC processor (x86 Quark in newer versions) physically embedded in your Intel chipset. Since ME version 11 (starting with Skylake processors in 2015), it runs MINIX 3 - an operating system originally created as a teaching tool. Before that, it ran ThreadX RTOS. [2]

This isn't marketing fluff about a "coprocessor." It's a complete computing environment:

  • Its own CPU: Dedicated processor separate from your main Intel CPU
  • Its own RAM: Isolated memory that your operating system cannot access
  • Its own OS: MINIX 3, a Unix-like microkernel system
  • Full system access: Can read and write all of your computer's RAM
  • Network stack: Complete TCP/IP implementation for remote access
  • Always on: Runs whenever the motherboard has power, even when the main system is "off"

Security researchers describe it as running at "Ring -3" - three privilege levels below even the kernel. Your operating system runs at Ring 0. The hypervisor runs at Ring -1. The System Management Mode runs at Ring -2. The ME runs below all of them, with access to everything and accountability to nothing. [3]

The Components Inside ME

The Management Engine isn't one monolithic program. It's a collection of interconnected subsystems:

Active Management Technology (AMT)

Intel's enterprise remote management system. AMT allows IT administrators to:

  • Power on, reboot, or shut down computers remotely
  • Access the BIOS and change settings
  • Boot from remote images
  • Redirect the display, keyboard, and mouse
  • Access the system even when the OS has crashed or isn't installed

All of this works over the network, completely independent of your operating system. If AMT is enabled and accessible, an attacker with credentials has total control of your system - and your firewall won't even see the traffic because it happens below the OS level. [4]

Intel Boot Guard

A secure boot implementation that verifies firmware signatures before allowing the system to start. The catch: Boot Guard keys are burned into the CPU at manufacture. If your laptop manufacturer enables Boot Guard (most do), you physically cannot replace the BIOS with open-source alternatives like Libreboot. The ME decides what firmware runs on your computer, and you don't get a vote. [2]

Protected Audio Video Path (PAVP)

DRM enforcement at the hardware level. PAVP creates an encrypted channel between the ME and the display to prevent you from capturing protected content. Your computer actively works against you to enforce copyright restrictions.

Identity Protection Technology (IPT)

Hardware-based authentication that generates one-time passwords and manages cryptographic keys. Sounds useful until you realize those keys are generated and stored in a system you can't audit.

The Vulnerabilities

A hidden computer with god-mode access running closed-source firmware. What could go wrong?

CVE-2017-5689 (Silent Bob is Silent)

In May 2017, Embedi researchers discovered that AMT's web interface would accept an empty authentication response. Send a blank password hash and you're in. CVSS score: 9.8 out of 10. [5]

This wasn't a buffer overflow or a complex chain of exploits. It was authentication bypass - the most basic security failure possible. And it had been present in Intel chips for nine years, affecting virtually every Intel system with AMT enabled since 2008.

To exploit it, attackers needed network access to the AMT port. But AMT runs on port 16992 by default, and many enterprise systems expose it directly to the network. Once in, attackers had full remote control: BIOS access, boot control, complete system takeover.

SA-00086 (November 2017)

Six months after Silent Bob, Intel disclosed another round of ME vulnerabilities. Multiple buffer overflows and privilege escalations in ME, Server Platform Services (SPS), and Trusted Execution Engine (TXE). Affected systems ranged from consumer laptops to enterprise servers. [6]

The vulnerabilities allowed local attackers to execute arbitrary code in the ME environment - the one place on your computer that has access to everything and is invisible to all security software.

Ongoing Research

Positive Technologies, Mark Ermolov, and other researchers continue to find ME vulnerabilities. In 2020, they discovered CVE-2019-0090, an unfixable bug in the boot ROM that could allow attackers to compromise the hardware root of trust. Because it's in read-only memory burned into the chip, no firmware update can fix it. [7]

The NSA Switch

Here's where it gets interesting. In 2017, Positive Technologies researchers were reverse-engineering ME firmware when they found an undocumented configuration bit labeled "HAP" - High Assurance Platform. Setting this bit causes the ME to disable itself shortly after hardware initialization. [1]

Intel confirmed HAP was developed at the request of "the U.S. government" for systems requiring high security. The NSA's Information Assurance Directorate runs a program called High Assurance Platform. They wanted Intel chips without the ME running. Intel obliged - but only for them.

Think about what this means: The U.S. government considers Intel ME too dangerous to run on their secure systems. But Intel still ships it enabled and unremovable on every consumer and enterprise system. The government gets a kill switch. You get to trust Intel.

Disabling the Management Engine

You can't completely remove ME. Intel designed it as a boot dependency - corrupt or remove the ME firmware and your system shuts down after 30 minutes. But you can neuter it.

me_cleaner

The me_cleaner project, created by Nicola Corna, removes non-essential ME components from the firmware image. It strips out everything except the bare minimum needed to pass POST. On most systems, this removes 90-92% of ME code. [8]

What me_cleaner removes:

  • Active Management Technology
  • Intel Standard Manageability
  • All networking components
  • Most runtime services

What remains is a stub that satisfies Intel's boot check but doesn't actually do anything. AMT won't work. Remote management won't work. The ME's network stack is gone. You've reduced the attack surface from a complete operating system to a minimal boot shim.

The catch: using me_cleaner requires extracting your BIOS, modifying it, and flashing it back. This voids warranties, carries bricking risk, and won't work on systems with Boot Guard enabled (which includes most modern laptops).

HAP Bit

Some manufacturers ship systems with the HAP bit set or provide tools to enable it. This is the same mechanism the NSA uses. It disables ME after hardware initialization, leaving the system functional but with ME dormant. [1]

System76 and Purism both ship laptops with ME disabled via HAP or me_cleaner. Dell's high-end enterprise systems sometimes offer AMT disable options. But mainstream consumer hardware? You get ME, enabled, running, with no official way to turn it off.

Disable AMT in BIOS

If you can't modify the firmware, at minimum disable AMT in your BIOS settings. Look for Intel Management Engine or Intel AMT Configuration. Disabling it won't stop ME from running, but it will prevent network-based attacks on the AMT interface.

Also check if your system exposes port 16992 (AMT). From another computer on your network: nmap -p 16992 [your-ip]. If it's open, your AMT interface is reachable.

The Trust Problem

Intel's response to ME concerns follows a pattern: acknowledge the legitimate enterprise use case, deny intentional backdoors, promise security improvements, and change nothing fundamental.

From Intel: "Intel does not put backdoors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user." [2]

Maybe. But here's what we know:

  • The firmware is proprietary and encrypted. Independent audits are impossible.
  • The HAP kill switch exists and was built for government clients who consider ME a security threat.
  • Critical vulnerabilities went undetected for years, suggesting inadequate internal security review.
  • The system runs below the OS with full hardware access - perfect for undetectable surveillance.
  • We can only verify Intel's claims about ME by reverse engineering - exactly what Intel tries to prevent.

The issue isn't whether Intel is lying. It's that their architecture makes verification impossible. You're asked to trust a black box with root access to your system, created by a company that cooperates with government surveillance programs.

Alternatives

If ME concerns you, your options are limited:

Pre-2008 Intel Systems

Intel processors before 2008 don't have ME. Old, yes, but ME-free. Some people run decade-old ThinkPads specifically for this reason.

AMD Systems

AMD has the Platform Security Processor (PSP) - their equivalent of ME. The PSP also runs proprietary firmware with full system access. But unlike Intel ME, PSP doesn't have direct network access. This makes remote exploitation significantly harder, though local attacks remain possible. [9]

Privacy-Focused Vendors

System76, Purism, and others sell laptops with ME disabled. They use me_cleaner and HAP to minimize ME's presence. You pay a premium, but you get hardware that at least tries to respect your security.

ARM-Based Systems

ARM processors don't have Intel ME. Many have their own secure enclaves (TrustZone), but the architecture differs significantly. If you can run your workload on a Raspberry Pi, Pinebook, or similar ARM device, you're ME-free.

What You Should Do

Complete ME elimination is impractical for most users. But risk reduction is achievable:

  1. Disable AMT: In BIOS settings, find and disable Intel Management Engine or AMT. This closes the remote attack surface.
  2. Check network exposure: Scan your system for open port 16992. If exposed, firewall it immediately.
  3. Update firmware: Intel releases ME firmware patches. They're distributed through your system manufacturer's BIOS updates. Apply them.
  4. Consider alternatives: If you're buying new hardware and ME concerns you, look at System76, Purism, or AMD-based systems.
  5. Assume compromise: Design your security model knowing that ME exists and could be exploited. Encrypt sensitive data. Compartmentalize. Don't store secrets on systems you can't trust.

The Bigger Picture

Intel ME is a case study in how modern computing works against users. A corporation builds invisible infrastructure into every product. The infrastructure has security implications that affect everyone. Users have no meaningful choice or control. And when the government wants protection from that infrastructure, they get it - while you don't.

This isn't conspiracy theory. It's documented engineering. Intel built ME. Intel built the HAP kill switch. Intel provided it to the government. Intel denies it's a backdoor while making independent verification impossible.

Your computer contains a separate computer that runs code you can't see, has access to everything, and can communicate over the network even when your system is off. Intel says trust us. The NSA said no thanks.

You should too.

Related Articles

References

  1. Positive Technologies. "Disabling Intel ME 11 via undocumented mode." August 2017. ptsecurity.com
  2. Wikipedia. "Intel Management Engine." wikipedia.org
  3. Invisible Things Lab. "Intel x86 considered harmful." December 2015. invisiblethings.org
  4. Intel. "Intel Active Management Technology Overview." intel.com
  5. Embedi. "Intel AMT Vulnerability - CVE-2017-5689." May 2017. embedi.com
  6. Intel. "Intel SA-00086 Security Advisory." November 2017. intel.com
  7. Positive Technologies. "Intel CSME bug is worse than previously thought." March 2020. ptsecurity.com
  8. GitHub. "me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware images." github.com
  9. Wikipedia. "AMD Platform Security Processor." wikipedia.org