"Active Management Technology": The obscure remote control in some Intel hardware
by Ward Vandewege, Matthew Garrett, and Richard M. Stallman
AMT is an auxiliary processor built into the high-end Intel Q chipsets with an i5 or i7 CPU. We don't know whether it is present in the cheaper H, Z, and B chipsets. It runs software loaded from a binary blob at an early stage in the process of booting the machine.
The AMT processor has total control over the machine. Here are some of the things it has the ability to do, remotely over a network:
- power control
- BIOS configuration and upgrade
- disk wipe
- system re-installation
- console access (VNC)
The AMT runs even when the computer is powered off, as long as the machine is plugged into a power outlet.
Depending on the vendor and BIOS version of your computer, the AMT functionality could be enabled, "soft" enabled, or disabled in the BIOS of your machine.
In principle there is no problem with the concept of AMT, as long as the owner of the machine controls the remote access to it. Unfortunately, that is not the case with AMT, because it is entirely proprietary and its specs are secret.
This also means that there is no way to know for sure if disabling it in the BIOS actually disables the AMT features entirely. There could be a deliberate backdoor built into the implementation. This is problem number one.
The AMT software is also likely to have security holes, and since it is not free software, users can't debug or fix them. What if there are bugs that allow access to some of the AMT features, even when the AMT is ostensibly disabled? There is no way to be reasonably certain that this is not the case. This is problem number two.
In any case, a nonfree program that is meant to be changed (just not by the user) is always unacceptable.
The average computer owner does not expect their laptop to have out-of-band remote access and control functionality built in. And yet that is exactly what AMT is. This is problem number three. If the user doesn't even know the AMT is there, how can they be expected to be able to control remote access to it?
What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to "disable AMT." That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to "enable AMT."
For remote access, a cooperating network interface is required: Intel ethernet adapters, Intel WiFi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer, that do not support AMT.
When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems in hardware from both Intel and AMD.
For the long term, lobby Intel to release the AMT software stack as free software. Send them an email letting them know you object to AMT and will not purchase any hardware that has it.
AMT is a serious obstacle to running a fully free system on modern Intel hardware, and a threat to users' privacy and security. If you would like to join with others to help figure out how to remove or replace it, contact us at firstname.lastname@example.org.