[holowoodman]

Remote management.

The CPU/chipset has an integrated keyboard/video/mouse (via VNC), serial console, power control (on/off) and some settings exposed via this webserver over some kind of XMLRPC.

It is activated either by configuring it locally through the BIOS or some special key combination at boot, or when connecting to a network that has a setup server with a special certificate (not really a security feature, just a money grab) present. Some vendors might also ship it always-on. Network can be either wired or WiFi, not sure about mobile networks.

The threat is extreme, hidden remote access, several known vulnerabilities in the past in e.g. the broken XML parser, activation and takeover via brief physical access at boot (press the magic key, set username and password, boom, it is not your machine anymore) or connecting to a network with a magic setup server and certificate (corporate WiFi might do this accidentially to your machine). No good consistent and easy way to deactivate or prevent, it is different for each generation and vendor unfortunately, if at all possible.

[kllrnohj]

> No good way to deactivate or prevent.

Eh? https://software.intel.com/sites/manageability/AMT_Implement...

[holowoodman]

I've edited my text to be more precise. But to elaborate:

Eh! Read what your link says:

> Beginning in Release 12.0, it is possible to globally disable Intel AMT.

It took them 12 versions to put in an off-switch, so only newer hardware even has one. And:

> Intel AMT can be disabled using one of the following methods: Through the MEBX menu: Make sure that Manageability Feature State is disabled, then open the MEBX menu and change the Intel ® AMT option to Disabled. This option can only be reenabled after a reboot.

That only works if your hardware vendor exposes the MEBX menu, which not all vendors do.

> Through an MEI command invoked by OS software: Invoke the CFG_DisableAndClearAMT MEI command.

For that AMT has to be already enabled and configured in the operating system.