On 12/18/2016 10:22 AM, Milton Scritsmier wrote: > Not all Intel chipsets support AMT (check Intel's website for which ones > do, but most consumer PC/laptop chipsets don't), and for every version > of ME firmware there are two releases, one for chipsets with AMT support > and one for chipsets without. Chipsets which support AMT can have the ME > firmware updated remotely if it's signed properly and the AMT password > is entered or bypassed somehow. Chipsets without AMT support cannot be > updated remotely AFAIK. > > If somebody got their hands on the Intel ME toolset and private signing > keys they could create a custom version of ME firmware that could do > just about anything, including accessing almost all the PC's RAM at any > time. But getting it on the machine is the trick. Without AMT support it > would require physical access to the machine, but then you can do just > about anything anyway with physical access. > Thank you, Roman and Joe for your well-written, rational and FUD free emails to the list on this topic. ;) I played around with AMT on a system I have access to. Per the manufacturer's documentation it ships out of the box in factory mode which disables all remote access features. After changing the ME password from the default I could configure AMT and turn AMT off entirely. Like Roman mentioned, no need for BMC so I think the Reddit poster's information was out of date but his point about securing the OS is still a good one.
-- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
