Purism, a startup making privacy-friendly and security-hardened “Librem” notebooks, wrote a recent blog post explaining how its notebooks avoid using Intel’s “Active Management Technology” (AMT), which the company called “essentially a backdoor.”
Intel AMT
Purism said that Intel’s AMT came to life mainly as a request from enterprise customers who wanted a lower-level control over their devices than the operating systems. Intel described the Active Management Technology this way:
“Intel Active Management Technology (Intel AMT) allows IT or managed service providers to better discover, repair, and protect their networked computing assets. Intel AMT enables IT or managed service providers to manage and repair not only their PC assets, but workstations and entry servers as well, utilizing the same infrastructure and tools across platforms for management consistency. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs,” explained Intel on its website.
Remote Access
AMT allows an IT person remote access to notebooks, bypassing any security mechanisms that may be employed by whatever operating system runs on top of Intel’s chip. That’s why Purism called it “essentially a backdoor.”
The same technology could be hacked, and then its remote access capability could be exploited by third parties. The remote access capability is live even when the notebooks are powered off.
Leah Rowe of GNU Libreboot (open source BIOS/UEFI firmware) also previously explained the ways in which Intel’s Management Engine (of which AMT is a component) is bad for privacy and security:
"Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shutdown the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen,” said Rowe.“And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored," she added.
No AMT On Purism Notebooks
For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.
Therefore, to avoid AMT remote access on Purism notebooks, the company removed those capabilities from its computers, stating that:
We do not use an Intel CPU that has vPro (nor AMT).We do not use an Intel networking card.We do not use the “corporate” version of the Intel Management Engine (Intel ME) binary.
Consumer Version Of Intel ME
However, Purism noted that its notebooks do contain a consumer version of Intel’s proprietary Management Engine binary. Purism recently created a petition calling on Intel to completely remove ME from its chips. The company also said that it's now working with Intel on ME-less chip designs.
Intel claimed that the consumer version of ME doesn’t allow remote access, but because the technology is closed source and proprietary, Purism can’t be sure either way. However, Librem notebooks should be free from hardware-level remote access because they lack of AMT and Intel networking chips.
Purism noted, "This is an order of magnitude less worrisome than the enormous security hole that a complete Intel AMT system (with all three 'puzzle pieces' put together) represents--a system vulnerable to all-encompassing remote access even when powered off."
Purism hopes to eventually create privacy and security-focused notebooks with no proprietary ME technology in them, to minimize the potential for backdoors in hardware and firmware that can’t be audited by anyone but Intel. The company is currently selling notebooks with both its own PureOS privacy-friendly operating system and with Qubes OS, the operating system that takes security to the next level through virtualized isolation.
