Purism Explains Why It Avoids Intel's AMT And Networking Cards For Its Privacy-Focused 'Librem' Notebooks

Purism Librem 13

Purism, a startup making privacy-friendly and security-hardened “Librem” notebooks, wrote a recent blog post explaining how its notebooks avoid using Intel’s “Active Management Technology” (AMT), which the company called “essentially a backdoor.”

Intel AMT

Purism said that Intel’s AMT came to life mainly as a request from enterprise customers who wanted a lower-level control over their devices than the operating systems. Intel described the Active Management Technology this way:

“Intel Active Management Technology (Intel AMT) allows IT or managed service providers to better discover, repair, and protect their networked computing assets. Intel AMT enables IT or managed service providers to manage and repair not only their PC assets, but workstations and entry servers as well, utilizing the same infrastructure and tools across platforms for management consistency. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs,” explained Intel on its website.

Remote Access

AMT allows an IT person remote access to notebooks, bypassing any security mechanisms that may be employed by whatever operating system runs on top of Intel’s chip. That’s why Purism called it “essentially a backdoor.”

The same technology could be hacked, and then its remote access capability could be exploited by third parties. The remote access capability is live even when the notebooks are powered off.

Leah Rowe of GNU Libreboot (open source BIOS/UEFI firmware) also previously explained the ways in which Intel’s Management Engine (of which AMT is a component) is bad for privacy and security:

"Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shutdown the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen,” said Rowe.“And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored," she added.

No AMT On Purism Notebooks

For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.

Therefore, to avoid AMT remote access on Purism notebooks, the company removed those capabilities from its computers, stating that:

We do not use an Intel CPU that has vPro (nor AMT).We do not use an Intel networking card.We do not use the “corporate” version of the Intel Management Engine (Intel ME) binary.

Consumer Version Of Intel ME

However, Purism noted that its notebooks do contain a consumer version of Intel’s proprietary Management Engine binary. Purism recently created a petition calling on Intel to completely remove ME from its chips. The company also said that it's now working with Intel on ME-less chip designs.

Intel claimed that the consumer version of ME doesn’t allow remote access, but because the technology is closed source and proprietary, Purism can’t be sure either way. However, Librem notebooks should be free from hardware-level remote access because they lack of AMT and Intel networking chips.

Purism noted, "This is an order of magnitude less worrisome than the enormous security hole that a complete Intel AMT system (with all three 'puzzle pieces' put together) represents--a system vulnerable to all-encompassing remote access even when powered off."

Purism hopes to eventually create privacy and security-focused notebooks with no proprietary ME technology in them, to minimize the potential for backdoors in hardware and firmware that can’t be audited by anyone but Intel. The company is currently selling notebooks with both its own PureOS privacy-friendly operating system and with Qubes OS, the operating system that takes security to the next level through virtualized isolation.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    There is a lot more to it than the tech just being there. It has to be activated and running to even work. Just because you have a vPro enabled system does not mean it is actually running.

    That said, it is a fantastic piece of tech. It is like an iDRAC for your PC and allows IT professionals to not only remotely troubleshoot a system from the BIOS level but to also send a kill command to a lost or stolen piece of company equipment saving the company from possibly losing sensitive information.

    I am all for people to have the choice, which is why you need a vPro enabled CPU and chipset for this to even work. If you have a vPro CPU but not a chipset nor the NIC then you can't even use it.
    Reply
  • Achoo22
    Good for Purism. I'm not a neophyte, but when I open up the process manager on my computer I see dozens of services and applications (many hiding under the needlessly obtuse svchost aegis) that I cannot identify by name or purpose. I would happily trade a little functionality for simplicity, security, and transparency. Especially when the functionality we're trading is more useful to the vendors than the owners.
    Reply
  • jimmysmitty
    18518380 said:
    Good for Purism. I'm not a neophyte, but when I open up the process manager on my computer I see dozens of services and applications (many hiding under the needlessly obtuse svchost aegis) that I cannot identify by name or purpose. I would happily trade a little functionality for simplicity, security, and transparency. Especially when the functionality we're trading is more useful to the vendors than the owners.

    SVCHost are all Windows processes for Windows services. Some are the driver API layer others are the OS API layer. There is nothing wrong with it. Linux has its own process that handles the driver and OS layers as well as does every OS.

    They are being paranoid for no reason and it is dumbfounding that anyone can believe that Intels AMT is a back door when you have to have not only all three components for it to work but also a server to access it then you have to give permission to access it. It is much like Dell iDRACs which do the exact same thing, they give low level hardware access to servers but require you to be on the same network to be able to access them.

    http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html

    People need to read before jumping and assuming it is a back door. When setup properly vPro is very secure and was asked for by many IT professionals.

    This company going out of their way to avoid a superior NIC because they don't want to use AMT is stupid to me since if only the NIC has it is would not even be enabled as that requires you to have the back end to even use it.
    Reply
  • mathew7
    This is not about doing what Intel designed it to do. This is about a possible vulnerability which could activate the AMT when user/IT kept it disabled. Think about the cold war sleeper agents.
    Being closed, there is no scrutiny, therefore even if a designed backdoor exists, it may be known to Intel and some NDAd parties. As for the "security IT personel" vouching for it's security, who trained them? The aswer will always be "Intel" and their recomandation is based on marketing.
    Reply
  • peterhelpme
    People saying 'nothing to worry about' are simply people with a lack of imagination. Hackers, on the other hand, do have the skills and the imagination needed to penetrate all the 'safe' and 'nothing to worry about' systems.
    Reply
  • jungleboogiemonster
    Depending on how Zen turns out, it may be a secure alternative to Intel products.
    Reply
  • jimmysmitty
    18518882 said:
    This is not about doing what Intel designed it to do. This is about a possible vulnerability which could activate the AMT when user/IT kept it disabled. Think about the cold war sleeper agents.
    Being closed, there is no scrutiny, therefore even if a designed backdoor exists, it may be known to Intel and some NDAd parties. As for the "security IT personel" vouching for it's security, who trained them? The aswer will always be "Intel" and their recomandation is based on marketing.

    A vulnerability that does not exist if you do not have all the required components for it to even work. If none of the components support vPro then there is no vulnerability. If only one or two do it doesn't work. They went with an Intel chipset and CPU yet avoided Intel NICs because they were afraid of a possible backdoor with AMT/vPro yet there are plenty of Intel NICs that do not run or support vPro/AMT:

    http://ark.intel.com/products/71305/Intel-Ethernet-Connection-I218-V

    I have that NIC in my desktop and it does not support vPro/AMT.

    As I said I am all for choice but I am not afraid to call out a stupid decision by a company being overly paranoid for nothing.

    18519304 said:
    People saying 'nothing to worry about' are simply people with a lack of imagination. Hackers, on the other hand, do have the skills and the imagination needed to penetrate all the 'safe' and 'nothing to worry about' systems.

    I didn't say there was nothing to worry about. Even Linux/Unix is hackable and not completely safe nor is this companies devices/OS. I said it is stupid to avoid a superior product on a fear for a possible backdoor for a feature that you can actually get products from said company that do not have nor support said feature. See my link above for an example of an Intel NIC that does not have/support vPro/AMT.
    Reply
  • amk-aka-Phantom
    Jimmysmitty is completely correct. This company is just raising a lot of noise over a non-issue - possibly to attract attention of paranoid but tech-illiterate customers. I can't imagine a real IT professional purchasing a laptop from a no-name manufacturer that intentionally chooses inferior hardware pretending that it's more secure.
    Reply
  • DrGreer
    This board also has m.2 (Not just u.2) and supports Intel Turbo Boost 3 whereas the Asus’s X99-E WS/USB 3.1 only supports version 2.
    Reply