Intel Management Engine

[massivescam]

Hello everyone.

Recently, I found a hard to swallow fact, or just a conspiracy (anyways, y'all can tell me better). I found some information concerning the Intel Management Engine (IME), basically a hardware device embedded to your mother board that allows backdoor attacks to be performed. Sorry for my poor description, but I am really not a specialist, so follows some videos I think are informative for this purpose: https://www.youtube.com/watch?v=HNwWQ9zGT-8, and https://www.youtube.com/watch?v=NwSm8GzqdBg. After some reading related to this issue, in what concerns securing your Private Master Key, I couldn't come to any conclusion. Some "specialists" say this IME can't do anything case your computer is off internet, others say it can store info in a cache for uploading it when internet connection available, others say it can keylog every keyboard entry, others say it may depends according to the computer brand, and others say ... So, the only "effective" solution I found, was to disable this IME directly in the hardware (https://www.youtube.com/watch?v=lQ8k79yNH2A).

My biggest concern about this issue, is on generating BIP39 mnemonics. Let's suppose you have a Seedsigner or a Krux, and thus you are allowed to perform transactions without ever connecting (unless for setting up the device) your Private Master Key to an online computer, and even to any computer with an IME. And that, you would like to (i) use another BIP39 seedphrase generator, or simply to (ii) measure the "quality" of your seedphrase (by measuring "quality", I am referring to inputting the seedphrase into another software, totally offline obviously, in order to measure how hard would be to crack the seedphrase).  In order to perform task (i) or (ii) you would need to input your seedphrase into a computer with, eventually, an IME embedded, and, possibly, having the risk or having your seedphrase captured. Even if you are on an offline setup, and you decide to use a virtual keyboard for typing your seedphrase, (if this IME is so powerful as some "specialists" say) which guarantee do you have that this IME wouldn't be storing your seedphrase in a cache for later uploading?

Is my reasoning right about this issue? Or am I just overreacting? If so, how would one person overcome the constraints imposed by this IME?

Thanks for the attention, and I am sorry for any misunderstanding in my writing.

[dkbit98]

Recently, I found a hard to swallow fact, or just a conspiracy (anyways, y'all can tell me better). I found some information concerning the Intel Management Engine (IME), basically a hardware device embedded to your mother board that allows backdoor attacks to be performed.

It's not a secret that both Intel and AMD have their own secret operating systems inside chips that are running all the time and collecting data.
Basic protection against this is to use your computer always offline without connecting to the internet, or by flashing the chip and installing open Source bios like Corebot.
Problem is that this is not available for most modern computers (some older Thinkpad laptops are supported), and you can only disable Intel ME.
Another solution is to use laptops like MNT Reform or Pinebook.  

My biggest concern about this issue, is on generating BIP39 mnemonics.

I wouldn't worry about this if you only use offline laptop as airgapped device, but you can also use open source hardware wallets like Passport got generating seed words.
Some people don't like hardware wallets, but I think they are much better for this purpose because they have much smaller attack vector than most computers.

Is my reasoning right about this issue? Or am I just overreacting? If so, how would one person overcome the constraints imposed by this IME?

You are probably overreacting.
I don't like Intel ME and AMD PSP but it's hard to use most modern computers without them.
If you want to ''overcome'' them simply don't use computers, or use alternatives I wrote before.l

[iBaba]

Is my reasoning right about this issue? Or am I just overreacting? If so, how would one person overcome the constraints imposed by this IME?

Thanks for the attention, and I am sorry for any misunderstanding in my writing.

Like many people may see your concerns as being overreacting, that could not necessarily be true because oftentimes even computer companies and walnuts have ignore the very little security glitches which is where attacks are penetrated through. Most of the time, I wonder if that was deliberate because the manufacturers don't want a user get a 100% control and security over it's devices. Nonetheless, it could be the highest they can offer now.

Security of mobile devices and computers is one aspect that have required perpetual improvement and evolution. So proffering prudent solutions to problems of security will be permanent.

In this case, for instance, I recently purchased a Dell Precision 7540, and the default setting was Intel ME disabled from the factory. That startled me, but because this is Enterprise Dell, it makes sense. Also, because it's Enterprise Dell, you won't be taken advantage of. There are four SODIMM slots and four m.2 slots. There will be no "you opened it to add more ram, so your warranty is void" or "you didn't order a second harddrive, so we didn't soldier the other m.2 connector to the board". There is also gigabit Ethernet built in.

But it makes me sad since laptops like this won't be around for many more years.

However, I feel that many more companies are becoming aware of this type of issue. Purism is an excellent example of a company that provides high-quality laptops with the Intel ME turned off by default.

[NotATether]

In this case, for instance, I recently purchased a Dell Precision 7540, and the default setting was Intel ME disabled from the factory. That startled me, but because this is Enterprise Dell, it makes sense. Also, because it's Enterprise Dell, you won't be taken advantage of. There are four SODIMM slots and four m.2 slots. There will be no "you opened it to add more ram, so your warranty is void" or "you didn't order a second harddrive, so we didn't soldier the other m.2 connector to the board". There is also gigabit Ethernet built in.

Funny thing is, that Intel Management Engine is only intended to be used for remote management settings, which means enterprise PCs and servers are really the only target for this thing. It is certainly not needed for personal computers, where remote management is not used and almost nobody has heard of the technology let alone uses it.

It also runs on with small embedded resources, and I'm not sure if it has access to the rest of the PC resources.