What's Wrong with AMT
AMT is an auxiliary processor built into the high-end Intel Q chipsets with an i5 or i7 CPU. We don't know whether it is present in the cheaper H, Z and B chipsets. It runs software loaded from a binary blob at an early stage in booting the machine process.
The AMT processor has total control over the machine. Here are some of the things it has the ability to do:
- remote power control
- remote BIOS configuration and upgrade
- remote disk wipe
- remote system re-installation
- remote console access (VNC)
The AMT runs even when the computer is powered off, as long as the machine is plugged into a power outlet.
Depending on the vendor and BIOS version of your computer, the AMT functionality could be enabled, 'soft' enabled, or disabled in the BIOS of your machine.
In principle there is no problem with the concept of AMT, as long as the owner of the machine controls the remote access to it. Unfortunately, that is not necessarily the case because AMT is entirely proprietary and little-known.
Because the AMT spec and implementation is entirely proprietary, there is no way to know for sure if disabling the AMT in the BIOS actually disables its features entirely. There could be a deliberate backdoor built into the implementation. This is problem number one.
The AMT software is also likely to have security holes, and since it is not free software, users can't debug or fix them. What if there are bugs that allow access to some of the AMT features, even when the AMT is ostensibly disabled? There is no way to be reasonably certain that this is not the case. This is problem number two.
In any case, a nonfree program that can be updated is always unacceptable.
The average computer owner does not expect their laptop to have out-of-band remote access and control functionality built in. And yet that is exactly what AMT is. This is problem number three. If the user doesn't even know the AMT is there, how can they be expected to be able to control remote access to it?
What can be done to improve this situation?
The best you can do with a machine that has AMT is to set the BIOS settings to 'disable AMT'. That's not certain to do the job, but you're more likely to be safe from it this way than if you set the BIOS to 'enable AMT'."
For remote access, a cooperating network interface is required: intel ethernet adapters, intel wifi adapters, and certain 3G modems are supported. If you can, replace Intel-made network interfaces with ones made by a different manufacturer and do not support AMT.
When you buy new hardware, don't buy Intel hardware. Buy AMD based systems; AMD chipsets do not contain anything like AMT.
For the long term, lobby Intel to release the AMT software stack as free software. Alternatively, help with reverse engineering it.