HP’s Endpoint Security Controller: More Details About A New Chip in HP Notebooks
by Anton Shilov on May 2, 2019 2:00 PM ESTOne of HP’s key announcements this spring was its revamped security initiative for PCs that includes hardware, software, and deep learning-based approaches. The software and DL parts of the things were discussed earlier this month, but the hardware-based Endpoint Security Controller remained more or less a mystery. This is why we asked HP to talk about it in more detail.
When it was announced, the company said that the HP Endpoint Security Controller is indeed a separate piece of silicon that sits inside HP’s PCs and performs certain security-based tasks. The ESC features a general-purpose processor core, HP’s custom hardware IP blocks, and embedded software. What is interesting is that HP has been installing the controller into its laptops since the EliteBook 800 G1 series launched in 2013, but has been very secretive about it until recently.
Initially, HP used the Endpoint Security Controller only for its Sure Start technology that can 'heal'/recover the system BIOS. Fast forward to 2019, and the controller has gained capabilities. HP now uses it to protect Intel’s Management Engine, and to enable its Sure Run and Sure Recover capabilities.
HP stresses that it is focused to continue to explore features of its ESC to make its HP Elite as well as select HP Pro business computers and select ZBook workstations the most secure mobile PCs on the market. Without disclosing any future plans, HP essentially implies that in the future it can use the Endpoint Security Controller for other security-related features.
HP’s ESC with all the bells and whistles is currently used in the company's sixth-generation EliteBook 800-series as well as HP ZBook 14u and 15u workstations. Eventually, capabilities of the Endpoint Security Controller will migrate to other systems too.
One of the key things about the ESC disclosure is that it shows PC makers are prepared to implement their own hardware-based methods to improve security of their premium PCs aimed at professionals. One would hope that this is a good news, assuming the controllers are sufficiently audited and not just obfuscated, but it will be interesting to see when and if HP incorporates its Endpoint Security Controller into premium consumer and mainstream consumer PCs.
Related Reading
- HP’s Security Push: Sure Sense & Endpoint Security Controller
- New HP ZBook 14u & ZBook 15u Portable Workstations
- HP’s Cascade Lake Z6 & Z8 Xeon Scalable Workstations with Up to 6 TB Optane
- HP Launches ProBook 400 G6 Series: Thinner & Sleeker Workhorses
Source: HP
33 Comments
View All Comments
Ashinjuka - Thursday, May 2, 2019 - link
I believe in picking ones battles, and while I appreciate privacy and security, I also still own phones of both OSes, use Gmail, Office 365, Windows 10, buy crap from Amazon (when unavoidable), have a smart TV, and pay for services using credit cards in my own name with my own address. I'm under no illusions that much of anything I really do using modern technology is private, especially to a determined exploiter. That ship has sailed, so I'm not gonna tilt against a windmill about HP putting some under-documented security chip in my laptop.If this makes refurb EliteBooks cheaper for me because of some nerd-outrage backlash, then I'm cool with it.
Santoval - Friday, May 3, 2019 - link
Er, the chip is not "under-documented". It is still completely UNdocumented and, most importantly, was kept secret for six full years. Documentation of a software or firmware suggests "ability to audit" the thing. That is still not the case, and marketing images like the above are not even remotely documenting anything. "Under-documentation" implies insufficient documentation, which clearly does not apply here.Reflex - Thursday, May 2, 2019 - link
I'd be more onboard if it wasn't for the fact that HP software is where we often find our security issues when doing PEN tests.oRAirwolf - Thursday, May 2, 2019 - link
Unless they have an entire team of Google level engineers constantly working to improve both the chip and software, I can pretty much guarantee you we will see an exploit that uses these in the future.Santoval - Friday, May 3, 2019 - link
Exactly. Particularly now that they revealed the chip exists but have not allowed anyone to audit it. By the way, even "entire teams of Google level engineers" introduce or miss bugs. You make it sound like Android is bulletproof.JanW1 - Friday, May 3, 2019 - link
This sounds like a dream for attackers with sufficient resources. An undocumented general-purpose processor sitting above the system BIOS and able to "heal" it (read: replace or patch it) at will. Installed since 2013 unbeknownst to the laptop owners.Open hardware increasingly starts to look like the only way to go if you want to truly own your device.
peevee - Friday, May 3, 2019 - link
What open hardware?edzieba - Friday, May 3, 2019 - link
"We installed an undocumented hardware backdoor into all your devices! No need to thank us!"Dragonstongue - Friday, May 3, 2019 - link
Awwww shucks HP, and you were on everyone's wish list this year, now is straight on the naughty get a bag of coal in the nuts list.Guess some companies never learn, if it is not their printers locking you out forcing to buy ink when there is still plenty left, to odd wired components to prevent user maintenance, foobar bios etc.
khanikun - Monday, May 6, 2019 - link
Oh, we have a bunch of HP digital senders at work. They locked it down into buying their card readers. Their $300+ card readers. They use to allow you to use any card readers. So you could get a $20-30 one and be good to go.