ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

The Intel Management Engine – a Privacy Nightmare

Every modern processor made by Intel contains a backdoor known as the Intel Management Engine (IME). This is an isolated and protected coprocessor that is embedded in all Intel chipsets that are newer than the first quarter of 2008.

This includes all desktops, servers, ultrabooks, tablets, and laptops with the Intel Core vPro processor family. It includes the Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.

The Intel Management Engine is Really Rather Scary

This closed source non-auditable subsystem can:

  • Access all areas of your computer's memory, without the CPU’s knowledge.
  • Access every peripheral attached to your computer.
  • Set up a TCP/IP server on your network interface that can send and receive traffic, regardless of whether the OS is running a firewall or not.
  • Run remotely even when your computer is turned off.
  • Enable a remote user to power on, power off, view information about, and otherwise manage your PC.
  • ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include a DRM application called "Protected Audio Video Path" (PAVP). This allows a remote user to access everything that is shown on your screen.

If your PC uses an Intel chip, then it does not matter which operating system you run. As Brian Benchoff notes in a Hackady blog post,

Own the ME and you own the computer.”

Terrifying as this all is, it gets worse. The AMT application (see below) has known vulnerabilities, which have already been exploited to develop rootkits and keyloggers, and to covertly gain encrypted access to the management features of a PC. As Libreboot notes in its FAQ,

“In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely.

Until now, the only way to do this has been to avoid all generations of Intel hardware newer than ten years old! Unfortunately, opting to use a non-Intel processor does not get you very far…

Non-Intel Chips are Not Safe Either!

All post-2013 AMD chips contain a Platform Security Processor (PSP). Implementation of this is very different from that of Intel’s IME, but it does a very similar thing. It also comes with all of the same basic security and freedom issues as the IM.

Android and iOS devices, on the other hand, all ship with an integrated proprietary chip known as a baseband processor. It is well known in security circles that this can effectively act as a backdoor

So What Exactly is the Intel Management Engine?

The IME is the hardware component of Intel’s Active Management Technology (AMT). It is designed to allow system administrators to remote-access PCs in order to monitor, maintain, update, upgrade, and repair them.

intel management engine

Other than its capabilities, very little is known about the IME. This is thanks to the fact that it is closed source and secured with an RSA-2048 key. As previously noted, the AMT application has known vulnerabilities, although the IME hardware component remains secure… for now. As Benchoff notes,

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.”

With regard to criminal hackers, it is very much a case of when, not if the hardware is cracked. Furthermore, criminal hackers are only one threat to be concerned about.

System administrators gain access to AMT features using cryptographic keys. These could be stolen or handed over to the authorities on receipt of a subpoena, court order, national security letter, or suchlike.

Indeed, given what we know about its close connections with the US technology industry, it would be fair to assume that Intel has simply provided the NSA with the certificates and cryptographic keys necessary to access any and every chip it produces. Again, this is very scary!

How Do I Disable the IM?

Until very recently, it has been impossible to disable the IM on most systems that the use Intel Core 2 series of Intel chips or newer (2006 and onwards). Any attempt to disable the ME firmware on a chip that includes the IME would result in the system refusing to boot or shutting down shortly after booting.

A technique was developed for removing the ME from GM45 chipsets (Core 2 Duo, Core 2 Extreme, Celeron M). It worked, however, because the ME was located on a chip separate from the northbridge.

This technique does not work for Core i3/i5/i7 processors, as the ME is integrated to the northbridge. It is possible to disable key parts of the ME on these chips, but this has always resulted in the PC shutting down after 30 minutes, when the ME’s boot ROM (stored in an SPI Flash) failed to find a valid Intel signature.

Just recently, however, researcher Trammell Hudson found that if he erased the first page of the ME region (i.e. 'the first 4KB of its region (0x3000, starts with "$FPT"') of his ThinkPad x230, it did not shut down after 30 minutes.

This discovery led other researchers (Nicola Corna and Frederico Amedeo Izzo) to write a script that takes advantage of this exploit. Note that this script does not completely remove the ME per se, but it does in practical terms disable it. Benchoff observes,

Effectively, ME still thinks it’s running, but it doesn’t actually do anything.”

The script is known to work on Sandy Bridge and Ivy Bridge processors, and should work on Skylake processors. It may work and Haswell and Broadwell processors, but this has not been tested.

Unfortunately, using this script requires serious tech chops. It requires the use of a Beaglebone, an SOIC-8 chip clip, and some loose wires. It also requires a lot of nerve, as there is a serious risk of bricking your processor!

Nevertheless, this is an important development that allows those determined enough to (effectively) remove the backdoor that exists in pretty much every modern processor.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

16 Comments

Tim
on March 11, 2020
Check your facts. It started in CPU's from the 1st quarter of 2008, not 2006. 2009 Dell D630's with most CPU's and all T60 ThinkPads are the most robust non-spying machines.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small_webp.webp
Douglas Crawford replied to Tim
on March 11, 2020
Hi Tim. It's a while since I wrote this article and I _think_ the error was just a typo. Whatever the situation, you are correct, and I have updated the article accordingly. Thanks.
Disable Intel ME
on February 17, 2018
Intel management, the greatest security threat of the modern age; 99.99999% of intel users do not want nor use the backdoor functions it offers, yet they exist by default and only the NSA has been given the green light to turn it off. I doubt nuclear facility personnel are going sit around waiting for the next AMT patch from Intel while their reactors are on the verge of full meltdown. (No wonder Samsung just surpassed Intel as the #1 chip manufacturer) The only real solution is prevention, releasing firmware that allows the remote function of ME to be disabled completely, and ensuring all future releases of Intel chipsets have the option available to disable it. Most of Intel ME's functionality is deeply integrated into remote desktop, terminal services, and terminal server. I have located and disabled all the software level vectors of control Intel ME has over a live windows session. Disabling these should neuter AMT's functionality interfacing with a live windows OS, though it doesn't stop AMT at the hardware level. Hackers were still able to disable my network card from connecting to the internet in linux, including live distros. Never had this problem in 10 years, until I started gutting Intel ME from my system. I'll need an aftermarket network card to fix that. The Intel ME Gigabit Network Connection identifies out-of-band (OOB) network traffic (traffic targeted to Intel AMT) and routes it to the Intel ME instead of to the CPU. Intel AMT traffic is identified by dedicated IANA-registered port numbers. Viable Solutions? 1. Unplug your computer from the internet and lan. 2. Disable ME, flip the hap bit. 3. Use an after market network and wifi card; 4. Block incoming/outgoing ports via router associated with Intel Management OOB; 16992, 16993, 16994, 16995, 623, 644 Are separate Intel gigabit NIC cards a solution to AMT vulnerability? https://communities.intel.com/thread/114211 "Please note that depending on configuration Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services" AKA, even if you have an after market network card... if they have access to your OS, hackers might be able to reprogram the ME or plant a rootkit inside the ME or "Intel Firmware hub" that can bridge your NIC. Neutering Intel ME at the Software level: Disable Remote Desktop, Terminal Services, Terminal Server, and low level redirectors; This info I'm deriving from Windows 7 SP1 64; though be sure to check if you have the same or similar services. Soon I'll post automated files to disable all of these services in one felt swoop. Create a system restore point before proceeding. dword:000000* To disable * = 4 0 Boot 1 system 2 Automatic 3 Demand (starts on demand by given service command or whatever) 4 Disabled You can restore Intel management, the greatest security threat of the modern age; 99.99999% of windows users do not want nor use the backdoor functions it offers, yet they exist by default and only the NSA has been given the green light to turn them off. I doubt nuclear facility workers are going sit around waiting for the next AMT patch from Intel while their reactors are on the verge of full meltdown. The only real solution is prevention, releasing firmware that allows the remote function of ME to be disabled completely. Most of Intel ME's functionality is deeply integrated into remote desktop, terminal services, and terminal server. I have located and disabled all the software level vectors of control Intel ME has over a live windows session. Disabling these should neuter AMT's functionality interfacing with a live windows OS, though it doesn't stop AMT at the hardware level. Hackers were still able to disable my network card from connecting to the internet in linux, including live distros. Never had this problem in 10 years, until I started gutting Intel ME from my system. I'll need an aftermarket network card to fix that. Viable Solutions? 1. Unplug your computer from the internet and lan. 2. Disable ME, flip the hap bit. 3. Use an after market network and wifi card; 4. Block incoming/outgoing ports via router associated with Intel Management OOBE; 16992, 16993, 16994, 16995, 623, 644 Are separate Intel gigabit NIC cards a solution to AMT vulnerability? https://communities.intel.com/thread/114211 "Please note that depending on configuration Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services" AKA, even if you have an after market network card... if they have access to your OS, hackers might be able to reprogram the ME or plant a rootkit inside the ME or "Intel Firmware hub" that can bridge your NIC. Neutering Intel ME at the Software level: Disable Remote Desktop, Terminal Services, Terminal Server, and low level redirectors; This info I'm deriving from Windows 7 SP1 64; though be sure to check if you have the same or similar services. Soon I'll post automated files to disable all of these services in one felt swoop. Some of these are visible in device manager if you show hidden devices, but many are not. Create a system restore point before proceeding. dword:000000* To disable * = 4 0 Boot 1 system 2 Automatic 3 Demand (on demand by given service command or whatever) 4 Disabled Here is a list of drivers and services associated with Intel ME's remote functionality: Remote Desktop Device Redirector Bus Driver. Bus = hardwired, hardware level traffic lane. Remote access. Redirector = remaps/hooks live O/S ports for remote access at the sub system level (ME). These are Intel Management / AMD PSP hardware drivers. Re-read this till it sinks in. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdpbus] "Start"=dword:00000004 Look out for, "redirectors" What is a Network Redirector? A network redirector consists of software components installed on a client computer that is used for accessing files and other resources (printers and plotters, for example) on a remote system. The network redirector software creates the appearance on the client system that remote files and resources are the same as local files and resources and allows them to be used and manipulated in the same ways. The network redirector tries to make access to remote resources as transparent as possible for the local client application. This is AMT's specialty. RAS ASYNC ADAPTER, MS Remote Access serial network driver; AMT Feature: Serial over LAN for Remote Control) Intel Management Serial over lan demonstration by intel: https://www.youtube.com/watch?v=8vmG6rFd_BM [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asyncmac] "Start"=dword:00000004 Remote Desktop Services UserMode Port redirector [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UmRdpService] "start"=dword:00000004 Terminal Server (2006) Device Redirector Driver aka Remote desktop device redirector [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPDR] "Start"=dword:00000004 The Redirected Drive Buffering SubSystem, sounds innocent enough, doesn't it? RDBSS https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/the-kernel-mode-network-redirector-driver AMT Has a Feature since at least 2008 (Intel Management Gen 5): IDE Redirect; allows for performing hardware level remote access) One of the most powerful and core components of intel ME. You can see it in action, this is what the NSA are doing from their mesh central command centers: Meshcentral.com - IDE Redirection https://www.youtube.com/watch?v=2yL42OnjMcA Meshcentral.com - Intel AMT IDE-R recovery https://www.youtube.com/watch?v=ZL-WlfJaYCk https://software.intel.com/en-us/blogs/2014/06/24/meshcentralcom-intel-amt-ide-redirect-support Make sure you watch these videos on AMT/ Intel ME redirectors: https://www.youtube.com/results?search_query=intel+ide+redirection IDE-Redirect? Redirected Drive Buffering Subsystem ROOT Kernel Driver (RDBSS) Communicates with Mini-redirector drivers. This should disable much of Intel ME's transparent functionality with windows C:\Windows\System32\drivers\rdbss.sys [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rdbss] "start"=dword:00000004 MR.X redirectors; Can't get more conspicuous than that. Updated with the Jan 2018 Windows 7 Rollup security package featuring Spectre and Meltdown patches. Intel ME is far, far more dangerous than spectre and meltown. I wouldn't be surprised if Mr. X services are tightly integrated into AMT, which lanmanworkstation (SMB) is dependent upon. I believe MR. X Mini Redirector allows is channeled through AMT via Downlevel Sub Redirectors (1 & 2) Load up regedit, check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ MR. X Windows NT Web Dav Mini Redirector (WebDAV Extension for IIS 7.0 enables Web authors to publish content easily and more securely to IIS 7.0 Web servers; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV] "Start"dword:=00000004 MR. X Windows NT SMB Mini Redirector [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb] "Start"dword:=00000004 MR. X Loghorn SMB 1.0 Downlevel Sub Redirector [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10] "Start"dword:=00000004 MR. X Loghorn SMB 2.0 Redirector [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb20] "Start"dword:=00000004 Remote Desktop Server Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] "Start"=dword:00000004 Terminal services was later renamed to "Remote Desktop" Terminal service Generic USB Device, Keyboard/Mouse (Keylogging and remote control, both were enabled and running on my pc) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] "Start"=dword:00000004 Terminal service Generic USB Device, Keyboard/Mouse (both were enabled and running on my pc) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbGD] "Start"=dword:00000004 RDP Display Driver aka Remote Desktop Protocol Chained Display Driver (for watching you from NSA's MESH central servers) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPCDD] "Start"=dword:00000004 Remote Desktop Protocol Display Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPDD] "Start"=dword:00000004 Remote Desktop Protocol Encoder Mirror driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPENCDD] "Start"=dword:00000004 Microsoft Remote Desktop Session Host Server Network Provider [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP] "Start"=dword:00000004 ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include a DRM application called “Protected Audio Video Path” (PAVP). Quoting the above "This allows a remote user to access everything that is shown on your screen." Intel offers two PAVP modes - Paranoid and Lite; when set to Paranoid, the video stream is encrypted and its decoding is accelerated by the integrated graphics core. pavp (protected audio video path) enables hardware accelerated decoding of the encrypted stream by intel integrated graphics core. Pavp abbreviation stands for plasma arginine vasopressin. Protected Audio Video Path is still classified as Intel Restricted Secret. So there is no public documentation available... How independent is this of Remote Desktop? I'm not sure. Reflector Display Driver used to gain access to graphics data. It handles the Remote Desktop Protocol Reflector Driver Miniport. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPREFMP] "Start"=dword:00000004 User Mode Remote Desktop Services Display Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPUDD] "Start"=dword:00000004 Microsoft Remote Desktop Protocol Video Miniport driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RdpVideoMiniport] "Start"=dword:00000004 Remote Desktop Protocol Terminal Stack Driver (US/Canada Only, Not for Export) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPWD] "Start"=dword:00000004 Remote Desktop Services Security Filter Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tssecsrv] "start"=dword:00000004 Remote Desktop Configuration Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SessionEnv] "start"=dword:00000004 Terminal Server Usually companies which need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network. Sounds like the fundamental core of Microsoft & Intel ME's remote functions. What the EFF? Notice how the most sensitive and critical entries have an F beside them, making them stick out; this lead me to wonder if these were failsafes to ensure you could renable them with another registry key. Who knows. Harden/Disable Terminal Server [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "TSUserEnabled"=dword:00000000 "TSAdvertise"=dword:00000000 "StartRCM"=dword:00000000 "AllowRemoteRPC"=dword:00000000 "fDenyTSConnections"=dword:00000001 "fCredentialLessLogonSupportedTSS"=dword:00000000 "fCredentialLessLogonSupportedKMRDP"=dword:00000000 "fCredentialLessLogonSupported"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd] "StartupPrograms"=- the =- in the key above removes the startup app function for terminal server [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] "fInheritAutoLogon"=dword:00000000 "fInheritInitialProgram"=dword:00000000 "fLogonDisabled"=dword:00000001 "fPromptForPassword"=dword:00000001 Inner core of Remote Desktop; WDS=Winstation Driver, rdpwd Remote Desktop Protocol Terminal Stack [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd] "fFlowSoftwareRx"=dword:00000000 "fFlowSoftwareTx"=dword:00000000 "fEnableDTR"=dword:00000000 "fEnableRTS"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\EH-Tcp] "fEnableWinstation"=dword:00000000 "fInheritAutoClient"=dword:00000000 "fInheritAutoLogon"=dword:00000000 "fLogonDisabled"=dword:00000001 "fDisableCcm"=dword:00000001 "fDisableCdm"=dword:00000001 "fDisableClip"=dword:00000001 "fDisableLPT"=dword:00000001 "fDisableCpm"=dword:00000001 "fDisableExe"=dword:00000001 "CdDLL"="" "CfgDll"="" "PdDLL"="" "PdDLL1"="" "WsxDLL"="" "WdDLL"="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] "UserAuthentication"=dword:00000001 "fInheritAutoClient"=dword:00000000 "fInheritAutoLogon"=dword:00000000 "fLogonDisabled"=dword:00000001 "fDisableCcm"=dword:00000001 "fDisableCdm"=dword:00000001 "fDisableClip"=dword:00000001 "fDisableLPT"=dword:00000001 "fDisableCpm"=dword:00000001 "fDisableExe"=dword:00000001 "CdDLL"="" "CfgDll"="" "PdDLL"="" "PdDLL1"="" "WsxDLL"="" "WdDLL"="" (the - in front of hkey deletes the key and its contents; then following up; recreates an empty key) [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\TSMMRemotingAllowedApps] "ehshell.exe"=dword:00000000 USE PCHunter to modify the following registry keys: fAcceptConnection under; set to 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ConnectionHandler] Connecting multi-hop mesh networks using MAC bridge AMT Mesh Central: https://meshcentral.com/ see image: https://patentimages.storage.googleapis.com/76/a0/06/3d6938ad658e24/US08340106-20121225-D00000.png A multi-hop mesh network may be connected to a Local Area Network (LAN) using a MAC Bridge. One or more nodes on the mesh network may be configured as a bridge node that employs a MAC bridge. Packets that travel between stations on the LAN to nodes on the mesh network flow through one of the bridge nodes on the mesh network. The bridge nodes do not receive all the packets on mesh network, but they receive the packets that are to be transmitted across the MAC bridge. As the bridge nodes learn of new stations on the LAN they advertise routes to the other nodes within the mesh network specifying how to reach those stations. This enables MAC Bridge functionality between wireless mesh networks and 802 LANs. "https://patents.google.com/patent/US8340106 Bridge MP (MAC Bridge driver) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BridgeMP] "Start"dword:=00000004 There you have it; AMT's Windows control vectors and mechanisms have been neutered. You can copy and paste everything here into a reg file, it will not harm your computer; the text will not e injected into your registry, only the keys. Be sure to create a system restore point before doing this.
PSP replied to Disable Intel ME
on February 10, 2022
Hi, This is really helpful. Do you have an updated procedure for W10? Also does the procedure apply equally well to AMD"s PSP?
Ty
on February 6, 2018
Intel Management & Remote Desktop are inseparable, until you delete the files or disable them. You must either disable ME, its windows components, or both. Some of their components I will list here. These will vary depending on motherboard vendor, drivers, and version of Intel ME/AMT. I've got an old LGA775 P5Q-Pro, South Bridge: Intel 82801JR ICH10R, for example. On my PC computer, I've got a nifty little driver called "RDPBUS," otherwise known as "Remote Desktop Device Redirector Bus Driver." A driver is typically for hardware. Bus means hardwired. Wire to wire hardware communication on a hardware lane. So "Remote Desktop BUS DRIVER" basically means Intel ME remote assistance or backdoor driver. Plain as day. ME was massively designed for remote repairs and assistance; so tell me, who else would embed this function on your Intel chipset? and provide you with bus drivers for remote functionality? Intel, of course. Remote Desktop used to be called Terminal Services, and Terminal Server is the central brain of all of this. Intel Management is specialized to work with Remote Desktop functionality. Therefore, if you have not disabled ME, you should disable everything "Remote Desktop" "Terminal Service" and "Terminal Server" until you have nothing left to disable. Given recent security breaches in ME issued by Intel, running anything "Intel Management" enabled is highly risky and dangerous; For your life, for your finances, for the dams, nuclear facilities, god only knows. I I and 99% of Intel users want to disable what only 1% actually WANT to keep for convenience sake. Time for an off switch on this baby, and not just for the NSA. I highly recommend you disable it, even if you must flash your chip with hardware! You can bypass some of Intel ME's functionality by using an aftermarket NIC.
stimoceiver
on January 31, 2018
Hello Douglas, Thank you for an excellent article on the subject. The reality is, our electronics today are likely to be hopelessly compromised from the hardware on up. Research the concept of "hardware trojans" a bit and you may be surprised at how deep the rabbit hole runs, but then again you may not be surprised: after all, your article even mentions the baseband processor in cell phones! What a striking parallel, between the two-tiered design of "host CPU" and "IME coprocessor", when both CPU tiers have near-simultaneous access to the full suite of bus-connected sensors and subsystems, and the two-tiered design of cell phone handset system architecture! Its almost as if each design were influenced behind the scenes by the same evil masterminds from deep within the secret echelons of an overarching corporate technocracy, to enable global spying at an unprecedented scale. Strange too that there are so few manufacturers of CPUs, especially when it comes to the consumer market. Another example of how free market capitalism may well be a great idea if we ever got around to actually trying it! Two party politics, two cpu manufacturer computing. But back to the IME and AMT. This is a very disturbing direction for technology to take, but it was predictable, even if it caught most of us off guard. And it is definitely encouraging to see that many people are researching how to disable the IME and a few projects have even sprung up such as the one you note in the article. Zeroing out and reflashing parts of your BIOS using a JTAG connector is ambitious, but definitely encouraging! However the truth of the matter is that every hacker worth his l33tness who has given this a moment's thought would much rather unlock this secondary coprocessor and make full use of it. While zeroing it out and disabling it is great, what would be far more l33t would be for someone to release a way to have a look at whats currently running in there. Wouldn't it be great, just for a moment, to see all the l33t "Intel" spyware in action before you disable it? For that matter wouldn't it be great if virus scanners started scanning our BIOS, our chipset, and our hard drive firmware and comparing them against known signatures? Seems like this will only increase the demand for systems with these kinds of capabilities to be better documented or even "open". Its also interesting to note that IME and AMT seem to predate UEFI BIOS. If these "two tiered" cpu architectures really were designed to intelligence agency specs, one wonders if there isn't something like a "wake on lan" packet that could initiate, say, a BIOS update over the network. Has anyone done any experiments packet-sniffing the network adapters on IME-enabled motherboards at powerup? But it is hardly just the IME that might be leaking sensitive data this way. I have a feeling that the days will soon be upon us when people are questioning the nature of a LOT of the traffic coming from their boxes. Between powerup and the time they have a mouse cursor, let alone by the time they see a login screen or user interface, there are lots of device drivers that "phone home" and even establish ongoing connectivity. A netstat -a -b -o on a typical windows box at bootup will show a nonzero and usually significant amount of network activity. A look at the process list on a typical windows box at bootup shows somewhere around 100 processes, many of them ostensibly related to devices such as printers and scanners used only infrequently. Whats all that infrastructure really doing? Steganography and information hiding have come a looong way... I have to admit, the fact the IME exists and has the capabilities it has are about as spooky of a scenario as I could imagine. Only thing spookier would be if AMT were found to contain a built in 4G cellular modem! Or if they had some even more sophisticated, as-yet undocumented radio WAN connectivity. (Such as appears to be hinted at in a few of the entries in the "NSA Catalog" release first publicized by Jacob Appelbaum!) Time will tell but one thing is certain. The revelations about the IME mark the beginning of a bold new era of corporate dominance of the information sphere. If the FCC's response to mass consumer outcry was any indicator, the technocracy will stop at nothing to make sure this kind of capability continues to be built into every computing device sold.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service