by Ward Vandewege, Matthew Garrett, and Richard M. Stallman
AMT is an auxiliary processor built into the high-end Intel Q chipsets
with an i5 or i7 CPU. We don't know whether it is present in the
cheaper H, Z, and B chipsets. It runs software loaded from a binary
blob at an early stage in the process of booting the machine.
The AMT processor has total control over the machine. Here are some of
the things it has the ability to do, remotely over a network:
- power control
- BIOS configuration and upgrade
- disk wipe
- system re-installation
- console access (VNC)
The AMT runs even when the computer is powered off, as long as the
machine is plugged into a power outlet.
Depending on the vendor and BIOS version of your computer, the AMT
functionality could be enabled, "soft" enabled, or disabled in the
BIOS of your machine.
In principle there is no problem with the concept of AMT, as long as
the owner of the machine controls the remote access to it.
Unfortunately, that is not the case with AMT, because it is entirely
proprietary and its specs are secret.
This also means that there is no way to know for sure if disabling it
in the BIOS actually disables the AMT features entirely. There could
be a deliberate backdoor built into the implementation. This is
problem number one.
The AMT software is also likely to have security holes, and since it
is not free software, users can't debug or fix them. What if there are
bugs that allow access to some of the AMT features, even when the AMT
is ostensibly disabled? There is no way to be reasonably certain that
this is not the case. This is problem number two.
In any case, a nonfree program that is meant to be changed (just not
by the user) is always unacceptable.
The average computer owner does not expect their laptop to have out-of-band
remote access and control functionality built in. And yet that is exactly what
AMT is. This is problem number three. If the user doesn't even know the AMT is
there, how can they be expected to be able to control remote access to it?
What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS
settings to "disable AMT." That's not certain to do the job, but
you're more likely to be safe from it this way than if you set the
BIOS to "enable AMT."
For remote access, a cooperating network interface is required: Intel
ethernet adapters, Intel WiFi adapters, and certain 3G modems are
supported. If you can, replace Intel-made network interfaces with ones
made by a different manufacturer, that do not support AMT.
When you buy new hardware, don't buy Intel hardware that has AMT. AMD
chipsets do not contain anything like AMT. Note, however, that there are
other comparable problems in hardware from both Intel and AMD.
For the long term, lobby Intel to release the AMT software stack as
free software. Send them an
email
letting them know you object to AMT and will not purchase any hardware
that has it.
AMT is a serious obstacle to running a fully free system on modern
Intel hardware, and a threat to users' privacy and security. If you
would like to join with others to help figure out how to remove or
replace it, contact us at campaigns@fsf.org.
