Spoiler

Spoiler

Spoiler

Spoiler

Yep..

 

It is true, but: https://www.dell.com/support/kbdoc/...intel-management-engine-state-control?lang=en

Even though it's not a complete solution.

 

Is this about IME/AMT? Yeah, it's about IME/AMT.

It's true, though this video is (as always is with these kind of clips) sensationalist, and it's been known for a long time: https://en.wikipedia.org/wiki/Intel_Management_Engine

Widespread use in corporate environments, where remote control is assumed and used a lot. It's not a universal backdoor though, but it can be exploited. Know your adversary and adjust your paranoia levels accordingly.

*edit* I meant to say that while it can be exploited, there are easier ways to pwn someone.

*edit2* Fun fact: ME runs Minix which was a teaching operating system for students to learn from, including one Mr. Torvalds who got frustrated with it and started writing his own, and got into a massive flamefest with Minix's creator, Andrew Tanenbaum. It's very entertaining evening read for us nerds

 

Last edited: Sep 30, 2025

The insidious thing about IME for those non-corporate users wishing to protect their privacy from being hijacked remotely by some mischievous dickhead is that the engine for the thing works independent of the main processing architecture. In essence, what this means is that even a machine that is powered off (with the power cable still connected) can be turned on remotely and its contents ransacked by any shithead with a remote console.

Fortunately for us, IME works with specific network ports in order for "remote" control to occur. The port mapping is a industry defined standard and IME can be more effectively disabled by simply blocking access to those ports at the firewall closest to your internet demarcation point. This would be the firewall located on your internet router or just behind your internet router. That being so you simply block those ports once (both directions) so that everything located behind that firewall is protected.

 

Last edited: Sep 30, 2025

i start every song with "I AM GONNA BOMB YOU ALL" in the hopes the NSA will contact me with some encouraging words about my tunes but so far nothing. :/

 

Question is "is it even legal?"

 

It's nothing new.

IME is legal and useful, but the problem with it is that it cannot be entirely disabled. If you want it completely disabled, you disable it in the BIOS first, then disable network ports at the router, just like @saccamano said. That's at least what I know about it. I always disable it on Intel PCs not because I'm afraid of the NSA, but that other nefarious people could use it to steal my prOn.

People like these: https://en.wikipedia.org/wiki/Mini-Me

 

Lemme say upfront you can disable IME but Minix is still in there and you cannot disable it. And given the circumstance, no matter if the specific to IME network ports are disabled, you can be hacked and Minix remotely enabled if you are online. You can stay completely offline if you are mad about it hehe. And because i have spoken very bad of Intel practice over the years, AMD users are not free of similar paranoia. There is unknown territory to be explored in Ryzen and all derivative cpus (Threadripper, Epyc) and it is most surely one of the same as Intel.
Cheers mates

 

How to prove (with C code) if the NSA has backdoored your CPU

To investigate whether a CPU contains a hardware backdoor, researchers have developed methods to test for discrepancies between expected and actual behavior using low-level C code. Below are the key approaches and techniques derived from security research:

https://medium.com/@electricatamara...-the-nsa-has-backdoored-your-cpu-1868e54eba38

 

AMD has remote management tools that work even when the system is shut down and allows system interaction that way, so they're not probably too far off. I've not clue what CPUs do this (outside EPYC), as so far there's nothing that iLO or iDRAC can't do that I've needed.

 

- AMT is for Enterprise: AMT is a feature built on top of the ME that provides remote management capabilities for computers and is primarily marketed to large businesses for IT administration.

• 
  Embedded Microcontroller: The IME is a tiny, self-contained computer running within Intel chipsets.
• Core System Functionality: It runs a microkernel operating system and handles various system features and services for Intel-based computers.
• Broad Availability: It has been a standard component in Intel chipsets since 2008, not limited to specific processors or large businesses.

As far as I am aware I worked in some IT departments and this was always a part of the Windows Active Directory ( broken down as follows):

• 
  Centralized Management: It allows IT administrators to manage and configure AMT-enabled PCs from a central location using familiar Active Directory tools and security models.
• Enhanced Security: By integrating with Active Directory's security framework, you can better control access to AMT features and ensure that only authorized personnel can manage devices remotely.
• Automated Provisioning: You can automate the process of configuring and provisioning new Intel AMT systems by defining profiles in the Setup and Configuration Service (SCS) and applying them to AD objects.
• Simplified Operations: It simplifies tasks like discovering, deploying, and maintaining Intel AMT devices, especially in large enterprise environments.