Preventitive Security Measures for Older Non-Librem Laptops


#1

Hi Folks,

There is no way with my current financial status that I could afford a Librem Laptop.

So, what measures can I and others, with older Computers, take to prevent NSA hacking/surveillance etc?

My Lenovo B590 seems to check out safe. It has a Core i5-3230M CPU, a HM77 Chipset, a Broadcom Limited BCM4313 802.11bgn Wireless Network Adapter and a Realtek Ethernet Controller.

I got the following output for mei-amt-check command.

AMT present: true
AMT provisioning state: unprovisioned
Flash:	8.1.40
Netstack:	8.1.40
AMTApps:	8.1.40
AMT:	8.1.40
Sku:	73728
VendorID:	8086
Build Number:	1416
Recovery Version:	8.1.40
Recovery Build Num:	1416
Legacy Mode:	False

Looking at some later Laptops, however, I have observed the following for example.

A Lenovo Laptop, with a Core i5-4200M CPU and, I think, a HM86 Chipset, has the following info displayed on the Main tab of the Thinkpad Setup utility.

ME Firmware Version 9.0.20.1447

So, where on the System Board does the ME Firmware reside as there is no mention of Intel® vPro™ Platform Eligibility for the HM86 on the Intel website and for the i5-4200M the associated web page says “Intel® vPro™ Platform Eligibility ‡ No”.

According to the information I was able to view on the Lenovo website for this particular Laptop, the System Board is specified as having TPM. Could this be why the Main tab, of the BIOS screen, has a line for ME Firmware Version?

Thanks!


#2

None if you keep it online.


#3

Guarantee to prevent? Probably not possible.

Seek to reduce?

  • run Linux
  • keep current with your patches?
  • disable or deinstall stuff that you don’t use (reduce attack surface)?
  • introduce layer 2 and/or layer 3 filtering to vet network traffic?
  • monitor logs etc?

But these points are very general in nature.

Concerns about AMT and ME are justified in a sense (can’t audit / known security flaws / undocumented functionality) however they would only be at their worst if they definitely are a pre-installed backdoor, rather than a potential backdoor.


#4

Still waiting for answers with regards to the last 4 paragraphs of my original post.

Thanks!


#5

I don’t think this is safe. Basically no Intel CPU from the last 10 years is safe.

The Intel Management Engine (ME) aka the Homunculus CPU would I believe be in all Intel-based systems since Core i5/i7 first generation i.e. Core i5 NNN or Core i7 NNN where NNN is three digits, or later.

Wikipedia says that the IME is in the Platform Controller Hub (PCH). I suppose that means both the Homunculus CPU and its firmware.

vPro is not the same as the Homunculus CPU. Basically all Intel CPUs have the Homunculus CPU. Only those CPUs targeted at enterprise customers have vPro.

I believe all Intel CPUs that have vPro include “firmware TPM” as part of vPro. So if your CPU does not have vPro then it probably does not have firmware TPM. (It is still possible for a mobo to have a TPM in that scenario but then it would be implemented in some other chip, either a separate dedicated chip or part of some other chip, but not part of Intel vPro.)

So … summary … forget about Intel Trusted Execution Technology (TPM) … forget about Intel vPro. All Intel CPUs that are anywhere near current have the Homunculus (backdoor) CPU aka Intel ME, running closed source software and with total access to your system whether it is booted or not, whether it is running Linux or not.