Will open hardware race curb worrying chip vulnerability?
Threat and Vulnerability Management

Will open hardware race curb worrying chip vulnerability?

In 2007 the enterprise computing landscape changed. Without major fanfare, Intel introduced its new Management Engine. This innocuous-sounding bundle of hardware and firmware was intended to give enterprise IT managers greater control over the machines on their network. It succeeded.

Comprising a fully-functional processor, memory, ROM and network interface, the IME, built inside the CPU chipset, became supreme overseer of the rest of the system. It controls everything. Long before an operating system even starts booting, the Management Engine is checking the network connection, validating code and...

...actually, nobody outside of Intel really knows what else it does, at least not entirely. Its code is heavily encrypted and so far has not been fully disassembled. The reason for encryption is obvious: this is a potential vulnerability for all systems in which it's present. If the encryption were ever broken, enterprise systems could be vulnerable to data theft, bot-net conscription and remote access, with their users and managers none the wiser. It's not beyond the realms of possibility that this has already happened.

What's surprising is the length of time that this has been going on without much complaint. Analysts such as Joanna Rutkowska have been warning about the risks for years. Projects such as Libreboot have, with some success, disabled early versions of the Management Engine, though mostly on computers that are now too old to consider for serious business use. Yet enterprise customers have so far made little noise, happy that the convenience of remote PC management outweighs any possible security concerns.

It's not as though there are any real alternatives. AMD stayed out of this area for some time, but since 2013 its CPUs have had a similar feature: the Platform Security Processor.

To continue reading...

Please login or register to view your article. If you do not have or do not remember your password, please click on the “Forgotten your password?” link at the bottom.
If you do not yet have a password but are an existing user, please use the “Forgotten your password?


«A business case for NarrowBand IoT in Africa


Blockchain-based companies have finally joined the ‘Unicorn Club’»
Alex Cruickshank

Alex Cruickshank has been writing about technology and business since 1994. He has lived in various far-flung places around the world and is now based in Berlin.  

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



If it were legal, would your organization hack back?