I understand what the ME at a very vague level, but I'm confused about how it works. How would someone interact with the ME? Is it just listening on my network interfaces? Would someone need to run code from my OS? Does it matter what OS I'm using?
In general the ME will only be listening for network traffic if you've enabled AMT functionality (which is restricted to certain enterprise SKUs and has requirements around which networking hardware is used and so on). Otherwise, the ME will expose a PCI device implementing the Host Embedded Controller Interface (HECI) and OS drivers can bind to that to offer an interface to applications.
Intel ME, as its own CPU, promiscuously listen for a certain Ethertype or UDP/TCP port.
it is optional to run an additional OS code from the main Intel CPU to gain access to Intel ME.
Intel ME's basic function is to display your monitor over network, monitor some hardware temp sensors, and reset the motherboard while your main Intel CPU is running or suspended (or even powered down).
since we cannot verify that Intel ME is only doing just that specific listening of network packet, because we do not have access to their source code (much less rebuild our own copy of Intel ME binaries); we cannot assume any modicum of correctness of Intel ME CPU operation (which has full unfettered access to all of your CPU memory) nor determine the level of maliciousness ... of your Intel ME.
it is "caveat emptor" from a computer security POV.
> Intel ME's basic function is to display your monitor over network, monitor some hardware temp sensors, and reset the motherboard while your main Intel CPU is running or suspended (or even powered down).
No, that's AMT, which is an optional feature not enabled on the majority of devices with an ME. On an average system it's much more likely that the ME is being used for PTT (Intel's implementation of a TPM running on the ME, avoiding the cost of an additional TPM chip), a protected video path for DRMed video (the encrypted video is passed to the ME, which decrypts it and draws it to the screen without the decrypted content ever being visible to the host CPU) and various other low-level platform integration things.
You don't need source code to verify the behaviour of a binary. The vulnerabilities that have been identified in ME code didn't depend on researchers having source code. Can we be certain that the ME isn't doing something malicious? No. But nor could we be certain even if we had the source code (maybe the microarchitecture was modified so that a specific sequences of instructions would cause the next cmp operation to invert , for example). Nobody's found any evidence of malice, and not really any more incompetence than you'd expect.
> You don't need source code to verify the behaviour of a binary.
Not even a died-hard cybersecurity reverse engineer would ever say, “you don’t need source code to verify the behaviour of a binary”, but it would make life easier to verify seldom-used or unused code for non-maliciousness.
