3 Replies Latest reply on Sep 29, 2015 4:01 AM by JFFulcrum

    Does Intel sell without AMT/ME/SMM ?

    Skybuck

      Hello,

       

      Does Intel sell (recent) chipsets/processors without AMT/ME/SMM ?

       

      I like to add to that: Without JAVA/ThreadX/RTOS ?

       

      I think these technologies are unnecessary for home/desktop computers and

      form an unnecessary security/privacy risk !

       

      (Especially the remote control and remote monitoring components).

       

      Bye,

        Skybuck.

        • 1. Re: Does Intel sell without AMT/ME/SMM ?
          JFFulcrum

          I wanted to say: dont use the built-in network adapter and everything will be OK, but any modern NIC or WiFi already contain a SoC with CPU and RTOS, so keep calm and clean.

           

          Actually, you should try to use the things you listed in real corporate environment, to find that they are so hard in use, buggy and undocumented, that was quicker and easier to send some technicians to make the needed changes on PCs instead of spending hours trying to make this crap works as it should. So if the qualified system engineers are hard to use such techs in practice (in controlled environment!), malevolent use in the wild Internet should be overcomplicated as well.

          • 2. Re: Does Intel sell without AMT/ME/SMM ?
            Skybuck

            Let's suppose for a moment that I am ok with RTOS.

             

            Why would not using the internal NIC matter at all ? AMT is supposed to control the entire machine... so once compromised it could surely also control an extension card nic ?!

            • 3. Re: Does Intel sell without AMT/ME/SMM ?
              JFFulcrum

              The on-board NIC often based on chipset-integrated MAC functions (i.e. they are just a PHY chips), and chipset MAC have a dedicated connection to ME/vPro, making traffic interception and insertion works for management functions. The PCI-connected NIC (with own MAC) is not so easy for traffic intervention, there is a need for special protocol support (so Intel-based NICs are bad choice for security paranoics) or OS level NDIS filter insertion (included in ME driver stack), or direct PCIe memory area manipulation (needs knowledge about exact NIC controller details).

               

              To exploit AMT/ME villain should first take control over your home router, to make possible sending magic packets, custom DHCP options and make a special traffic redirection to his own server with PXE boot feature, HTTPS responder with valid TLS certificate, and Intel toolkits installed. And the PC can stall in any moment due usually bad firmware and NIC MB initializations routines in home desktop market MBs BIOS. Having control over users router by itself make much more simple attacks possible, with no need for complex server setup and dealing with bad OEM intergration.