Comment

Comment on Disabling Intel’s backdoors on modern laptops

Wander@yiffit.net ⁨10⁩ ⁨months⁩ ago

Can someone explain what the Intel ME actually does / is? Thank you.

source

Sort:hotnew top

takeda@kbin.social ⁨10⁩ ⁨months⁩ ago
Intel Management Engine is a component that has access to your computer on a level that even you, the computer owner, don't have access to. It can be operated remotely, even when your computer is off.

And traditionally you can't even disable it (remember, you're not the trusted party in that mix).

https://en.wikipedia.org/wiki/Intel_Management_Engine

source
- otter@lemmy.ca ⁨10⁩ ⁨months⁩ ago
  My understanding is that it’s meant to be an enterprise tool for Sys admins of business and schools to allow for remote monitoring and troubleshooting, but because it’s expensive to make two sets of devices, it’s in everything.
  
  Relevant bits from that wiki:
  
  The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.
  
  Intel’s main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.
  
  .
  
  Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern. Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall. In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to “Insert vulnerabilities into commercial encryption systems, IT systems, …” and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program
  
  source
  - takeda@kbin.social ⁨10⁩ ⁨months⁩ ago
    So who is using it? Where are tools which allow you to set up and manage the infrastructure? Why it can't be disabled, except hacks, and one undocumented feature requested by NSA, because they did not want it running? It is a backdoor, if it wasn't it would be disabled by default and you would have to pay premium to have that feature enabled.
    
    source
    Brkdncr@artemis.camp ⁨10⁩ ⁨months⁩ ago
    Enterprise. Intel has a tool that lets you use it but other management services like SCCM and landesk have methods to use amt/vpro.
    
    source
Draconic_NEO@lemmy.world ⁨10⁩ ⁨months⁩ ago
IntelME is an embedded Microcontroller in the Intel Chipset (in the south-bridge chip) which depending on variations in generation, has a multitude of different features such as Active Management Technology used in IT department, clock controls and a few more things.

Because it is closed source there are security concerns about possible vulnerabilities in it which could possibly be exploited, as well as several conspiracy theories about it. Due to that hobbyists as well as certain OEMs have found out ways to disable it in attempt to mitigate these issues.

For more detailed information on it I would highly recommend this video by CCC on the subject, it covers what IntelME does and how it was able to be disabled.

[34C3 - Intel ME: Myths and reality (Youtube)}(yewtu.be/watch?v=wsmHmYxyoxg)

34C3 - Intel ME: Myths and reality (media.ccc.de)

source
- corsicanguppy@lemmy.ca ⁨10⁩ ⁨months⁩ ago
  AMT is a great way to get a passworded VNC session into the terminal.
  
  source
  - Draconic_NEO@lemmy.world ⁨10⁩ ⁨months⁩ ago
    Well provided your OEM hasn’t disabled it, on most of the computers I checked with IntelMEtool (the ones new enough to have IntelME) I found that AMT shows up as disabled on most of them, except for a few.
    
    source
Amilo159@lemmy.world ⁨10⁩ ⁨months⁩ ago
As a tech enthusiast and it support personnel i can tell you this: no one knows, possibly not even Intel.

source
- BarbecueCowboy@kbin.social ⁨10⁩ ⁨months⁩ ago
  I asked our Intel guy about it once. After you've dealt with vendors and sales engineers for long enough, you start to learn to detect when they have no clue how one of their offerings work. I'm not sure that I've ever heard so many non-specific comments, meaningless buzzwords, and attempts to redirect the conversation.
  
  I didn't get it even a little bit until I found an open source project based on Intel AMT, and that's apparently just a piece of ME.
  
  source
  - Amilo159@lemmy.world ⁨10⁩ ⁨months⁩ ago
    Sounds about right👍
    
    source
Brkdncr@kbin.social ⁨10⁩ ⁨months⁩ ago
It’s used for out of band management. With the correct hardware items (nic and gpu) it’s called vPro. With the proper certificate and supporting infrastructure it can auto-enroll into a management service such as SCCM. It allows companies to remotely view logs, bios settings and other items. With vPro it can include a complete remote KVM solution.

You can disable it from most UEFI settings interfaces without worry of causing other issues.

source
flying_monkies@kbin.social ⁨10⁩ ⁨months⁩ ago
It's a microcontroller that runs within Intel based systems allowing full control access at the processor level. It runs outside of your processor and any time the system is plugged in or is on battery. It doesn't require the main processor up for it to be accessible. More info on it on [wikipedia]https://en.wikipedia.org/wiki/Intel_Management_Engine).

AMD's equivalent is called AMD Secure Technology.

source