Purism Explains Why It Avoids Intel's AMT And Networking Cards For Its Privacy-Focused 'Librem' Notebooks


Purism Librem 13Purism Librem 13Purism, a startup making privacy-friendly and security-hardened “Librem” notebooks, wrote a recent blog post explaining how its notebooks avoid using Intel’s “Active Management Technology” (AMT), which the company called “essentially a backdoor.”

Intel AMT

Purism said that Intel’s AMT came to life mainly as a request from enterprise customers who wanted a lower-level control over their devices than the operating systems. Intel described the Active Management Technology this way:

“Intel Active Management Technology (Intel AMT) allows IT or managed service providers to better discover, repair, and protect their networked computing assets. Intel AMT enables IT or managed service providers to manage and repair not only their PC assets, but workstations and entry servers as well, utilizing the same infrastructure and tools across platforms for management consistency. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs,” explained Intel on its website.

Remote Access

AMT allows an IT person remote access to notebooks, bypassing any security mechanisms that may be employed by whatever operating system runs on top of Intel’s chip. That’s why Purism called it “essentially a backdoor.”

The same technology could be hacked, and then its remote access capability could be exploited by third parties. The remote access capability is live even when the notebooks are powered off.

Leah Rowe of GNU Libreboot (open source BIOS/UEFI firmware) also previously explained the ways in which Intel’s Management Engine (of which AMT is a component) is bad for privacy and security:

"Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shutdown the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen,” said Rowe.

“And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored," she added.

No AMT On Purism Notebooks

For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.

Therefore, to avoid AMT remote access on Purism notebooks, the company removed those capabilities from its computers, stating that:

  1. We do not use an Intel CPU that has vPro (nor AMT).
  2. We do not use an Intel networking card.
  3. We do not use the “corporate” version of the Intel Management Engine (Intel ME) binary.

Consumer Version Of Intel ME

However, Purism noted that its notebooks do contain a consumer version of Intel’s proprietary Management Engine binary. Purism recently created a petition calling on Intel to completely remove ME from its chips. The company also said that it's now working with Intel on ME-less chip designs.

Intel claimed that the consumer version of ME doesn’t allow remote access, but because the technology is closed source and proprietary, Purism can’t be sure either way. However, Librem notebooks should be free from hardware-level remote access because they lack of AMT and Intel networking chips.

Purism noted, "This is an order of magnitude less worrisome than the enormous security hole that a complete Intel AMT system (with all three 'puzzle pieces' put together) represents--a system vulnerable to all-encompassing remote access even when powered off."

Purism hopes to eventually create privacy and security-focused notebooks with no proprietary ME technology in them, to minimize the potential for backdoors in hardware and firmware that can’t be audited by anyone but Intel. The company is currently selling notebooks with both its own PureOS privacy-friendly operating system and with Qubes OS, the operating system that takes security to the next level through virtualized isolation.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
9 comments
Comment from the forums
    Your comment
  • jimmysmitty
    There is a lot more to it than the tech just being there. It has to be activated and running to even work. Just because you have a vPro enabled system does not mean it is actually running.

    That said, it is a fantastic piece of tech. It is like an iDRAC for your PC and allows IT professionals to not only remotely troubleshoot a system from the BIOS level but to also send a kill command to a lost or stolen piece of company equipment saving the company from possibly losing sensitive information.

    I am all for people to have the choice, which is why you need a vPro enabled CPU and chipset for this to even work. If you have a vPro CPU but not a chipset nor the NIC then you can't even use it.
  • Achoo22
    Good for Purism. I'm not a neophyte, but when I open up the process manager on my computer I see dozens of services and applications (many hiding under the needlessly obtuse svchost aegis) that I cannot identify by name or purpose. I would happily trade a little functionality for simplicity, security, and transparency. Especially when the functionality we're trading is more useful to the vendors than the owners.
  • jimmysmitty
    Anonymous said:
    Good for Purism. I'm not a neophyte, but when I open up the process manager on my computer I see dozens of services and applications (many hiding under the needlessly obtuse svchost aegis) that I cannot identify by name or purpose. I would happily trade a little functionality for simplicity, security, and transparency. Especially when the functionality we're trading is more useful to the vendors than the owners.


    SVCHost are all Windows processes for Windows services. Some are the driver API layer others are the OS API layer. There is nothing wrong with it. Linux has its own process that handles the driver and OS layers as well as does every OS.

    They are being paranoid for no reason and it is dumbfounding that anyone can believe that Intels AMT is a back door when you have to have not only all three components for it to work but also a server to access it then you have to give permission to access it. It is much like Dell iDRACs which do the exact same thing, they give low level hardware access to servers but require you to be on the same network to be able to access them.

    http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html

    People need to read before jumping and assuming it is a back door. When setup properly vPro is very secure and was asked for by many IT professionals.

    This company going out of their way to avoid a superior NIC because they don't want to use AMT is stupid to me since if only the NIC has it is would not even be enabled as that requires you to have the back end to even use it.