Security Experts:

System76 to Disable Intel ME on Laptops Due to Security Flaws

Following the discovery of several potentially serious vulnerabilities in Intel’s Management Engine (ME), computer seller System76 announced its intention to disable the feature on its laptops with a future firmware update.

In the past months, Intel and third party security researchers discovered a significant number of flaws in ME and Active Management Technology (AMT), which allow users to remotely manage devices. The security holes can be exploited to execute arbitrary code without being detected by the user or the operating system, bypass security features, and crash systems.

Intel has released patches for these vulnerabilities and vendors such as Acer, Dell, Fujitsu, HPE, Lenovo, and Panasonic informed customers that they are also working on firmware updates that address the weaknesses.

System76, which provides Linux-powered laptops, desktops and servers, has decided to address the risks introduced by Intel ME by disabling the feature altogether.

The company has been working on a system that will allow it to automatically deliver firmware updates to computers in the same way software updates are currently being delivered through the operating system. The new update mechanism has been tested and it’s nearly ready for deployment on laptops.

System76 plans on delivering a firmware update that disables ME on laptops using 6th, 7th and 8th generation CPUs from Intel. This includes Bonobo, Gazelle, Kudu, Lemur, Oryx and Serval laptops.

Users will be informed of an update via email and prompted to install it – updates will not be conducted without user interaction. The automatic updates will work on laptops running Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, or version 17.10 of Pop!_OS, System76’s own Linux distribution.

ME will continue to be present on System76 desktop computers, but users will be provided firmware updates that patch the vulnerabilities disclosed by Intel.

“There is a significant amount of testing and validation necessary before delivering the updated firmware and disabled ME,” explained System76 CEO Carl Richell. “Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can roll out extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don’t install).”

The company pointed out that disabling ME on laptops may no longer be possible at some point if Intel makes changes to the feature. “We implore Intel to retain the ability for device manufactures and consumers to disable the ME,” Richell said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.