[threatripper]

Absence of evidence is not the evidence for absence.

If the backdoor exists you will need to know a secret to open it. Currently, the public obviously doesn't know this secret or the doors would be wide open for virtually anybody. Because we don't know the secret key, we cannot open them to prove that they exist. So we don't know for sure if the backdoors exist. But the way the IME is designed and handled makes it possible and plausible that backdoors could exist. It's up to Intel to prove that they don't exist.

[dmix]

The odds of this being actively exploited by a nation state is higher than it not being exploited. It's too juicy of a attack target, while being almost universally deployed since 2008.

Even 14 years ago the FBI was using off cellphones as microphones, recording in-person conversations in a restaurant between some Mafia targets. It was acknowledged during a criminal trial, which means it was probably old-hat by then:

> Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off."

> He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

https://www.cnet.com/news/fbi-taps-cell-phone-mic-as-eavesdr...

Getting access to laptops/PCs regardless of power state with long-term persistence and very low detectability, regardless of traditional OS monitoring, would be top of the list in terms of requirements for any intelligence agency.

[na85]

>So we don't know for sure if the backdoors exist

Doesn't the NSA_High_Assurance_Platform bit or whatever it's called pretty much prove there's a backdoor?

edit: Here it is: https://en.wikipedia.org/wiki/Intel_Management_Engine#%22Hig...

Why would the NSA demand such a feature if they didn't foresee even a potential vulnerability there?

[scott00]

The NSA doesn't need to know a backdoor exists in order to worry about one. The ME is infrequently exercised code with a large attack surface and highly privileged access. If you are security conscious and don't need the functionality it's quite logical to want to turn it off, whether you're the NSA or anybody else.

[selectodude]

>It's up to Intel to prove that they don't exist.

That seems a bit over the top to ask them to prove a negative.

[akimball]

It would be easy for Intel to prove what code is running. Peer review does the rest.

[alasdair_]

Releasing the code would allow people to verify it.

[shawnz]

Releasing the code would help to make it more auditable.