Intel AMT is never delivered with remote access activated by default (to my knowledge, references otherwise welcome) and whoever is doing the initial configuration can configure it or not & then set a bios password to prevent it’s reconfiguration. That is secure by default.
When it’s your PC yet you’ve never taken the time to learn how it works and secure it, that’s a much, much bigger problem than someone with physical access to your PC reconfiguring it to give remote access because you never bothered to secure it.
That’s 99% of the home users and a surprisingly large chunk of the corporate users.
If you’re creating products for end users and keep giving them (any) responsibility on securing those products, and then you keep seeing that by and large they don’t take that responsibility. Why would you keep relying on them to take that responsibility? How many times do you let end users disappoint you with their inaction before you wise-up and make it secure by default?
Intel added a “feature” that was not there before, a feature that gives someone unparalleled access once it’s configured. Before they created this feature getting the same level of access would have, at least, taken a lot more effort. Sure it’s not enabled by default but Intel should have realized the potential for abuse and should have made this a little harder to activate.
AMT confuses me a little… to use this your CPU needs vPro, correct? But my understanding is that the intel management engine doesn’t require vPro as it pre-dates it. So i thought all intel CPUs since 2008 (as per the wiki article) have some form of management engine onboard but looking into the bios of a lynnfield (i5-750) system i have that doesn’t seem to be the case, i see no evidence of such a feature. The intel management verification utility doesn’t throw up anything either, it just forever says Performing Manageability Engine check, please wait…. This all started because of the vulnerability discovered last year.
AMT confuses me a little… to use this your CPU needs vPro, correct? But my understanding is that the intel management engine doesn’t require vPro as it pre-dates it.
As long as there are no vulnerabilities in the unaudited secret intel parallel OS, that is.
I think it’s mighty scary there is a whole parallel OS running over which I as the user have no control, and which has a direct connection to the network hardware.