Intel CPUs Have Serious Security Flaws: What You Should Know
Some very serious flaws have been found in millions of computers using Intel chipsets — but we don't yet know whether consumer machines are affected.
The flaws have to do with the Intel Management Engine (ME) built into many Xeon, Atom and Celeron processors, and into most Core Series (Core i3 / i5 / i7) processors built since 2015. Two Russian researchers working for a firm called Positive Technologies claim to have found ways to attack the ME via a USB port and thus take over a PC. They'll be presenting their findings at the Black Hat Europe 2017 security conference on Dec. 6.
In the meantime, Intel has released a security advisory and a downloadable tool that tells you if your machine might be affected. Dell, Lenovo and other hardware makers have released lists of PC models that they believe are affected, although few have yet released firmware.
The upshot is: Don't panic yet. We won't know how these exploits work for another couple of weeks, which means anyone wanting to attack your machine won't know either. (They'd probably need physical access in any case.) All you can do is wait for your hardware maker to issue a firmware update and apply it when it arrives.
MORE: Best Laptops
The ME is a separate processor that runs its own operating system (a variant of MINIX, the precursor to Linux) and can boot up independently of the host machine. It can run even when a machine is turned off. It's there to help IT personnel in companies both small and large administer machines remotely across a local network.
Normally, the ME requires the presence of Intel's Active Management Technology (AMT) software to be used by system administrators, and indeed there was a flaw in AMT software that was discovered and patched earlier this year. But while that earlier flaw was limited to enterprise and small-business machines that had AMT software installed and provisioned — and hence excluded most consumer machines — it's not clear whether this new flaw affects only workplace machines.
Because Intel has put the ME chip on many processors used by business and consumer machines alike, and because it's possible the Russian researchers presenting at Black Hat may have found a way to exploit the ME chip without AMT or any other IT-administration software running, consumer machines are not out of the woods yet.
So what can you do? For now, not much. But here's a checklist to go through:
Does your computer use an AMD rather than an Intel CPU? If so, you're not affected.
Does your computer use an Intel Core processor built before 2015? If so, you're not affected.
Are you using an Intel-based Mac? If so, you're not affected.
If you said "no" to all three of these, then go to this Intel page and download, unzip and run either the Windows or the Linux vulnerability detection tool. Windows users have a choice of a command-line tool or a graphical user interface; Linux users, as usual, have to use the command line.
Does the Windows tool tell you that your system "is vulnerable"?
Congratulations — your system is vulnerable. Go to the support section of your PC manufacturer's website and see if a patch is available. If you built your own system, check your motherboard maker's website. The Dell and Lenovo pages mentioned at the beginning of this story are where you should go if you have machines from either company.
Does the Windows tool tell you that your system "may be vulnerable"?
That doesn't really tell you anything. We got that response on a 2009 Dell Precision WorkStation T3500 running a Xeon W3505 CPU, but we don't know whether the machine is too old to be vulnerable.
Does the Windows tool tell you that you're in the clear, or that it's encountered an "unknown or unsupported hardware platform"? Congratulations — you can stop reading this.
While we don't know exactly what the vulnerability is yet, the good news is that it will probably require physical access to your laptop to exploit. So, as always, don't let strangers use your PC or plug things into its USB ports.