Here is how even your CPU can be used to track you

Published in the category: Tracking

All modern CPUs are now integrating hidden management platforms such as the now infamous Intel Management Engine and the AMD Platform Security Processor.

Those management platforms are small operating systems running directly on your CPU as long as they have power. These systems have full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or using malware for instance) as shown in this enlightening video: BlackHat, How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine https://www.youtube.com/watch?v=9fhNokIgBMU ^[Invidious].

These have already been affected by several security vulnerabilities in the past that allowed malware to gain control of target systems. These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system.

There are some not so straightforward ways to disable the Intel IME on some CPUs and you should do so if you can. For some AMD laptops, you can disable it within the BIOS settings by disabling PSP.

Note that to AMD’s defense, so far and AFAIK, there were no security vulnerabilities found for ASP and no backdoors either: See https://www.youtube.com/watch?v=bKH5nGLgi08&t=2834s ^[Invidious]. In addition, AMD PSP does not provide any remote management capabilities contrary to Intel IME.

If you are feeling a bit more adventurous, you could install your own BIOS using Libreboot or Coreboot. if your laptop supports it (be aware that Coreboot does contain some propriety code unlike its fork Libreboot).

In addition, some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of such vulnerabilities affecting recent widespread CPUs: https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability ^[Wikiless] ^{[Archive.org]}

Check yourself:

If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using https://github.com/speed47/spectre-meltdown-checker ^{[Archive.org]} which is available as a package for most Linux distros including Whonix.
If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https://www.grc.com/inspectre.htm ^{[Archive.org]}

Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information https://www.whonix.org/wiki/Spectre_Meltdown ^{[Archive.org]} (Warning: These can severely impact the performance of your VMs).

I will therefore mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for your sensitive activities that will only be used from an anonymous public network.

In addition, I will recommend the use of AMD CPUs vs Intel CPUs.