> what I mean is if the ME were already programmed to do these nasty things by design
Yes, and this is possible, though I would consider the possibility remote.
This would require collaboration between Intel and three letter agencies. Additionally, since the ME firmware is stored on SPI flash, anyone who suspected their ME might be eavesdropping could contact a researcher to dump their firmware for analysis. So I highly doubt Intel would be shipping this functionality in every ME firmware release.
Deployment would likely be targeted against a specific individual/group.
I'm not saying it couldn't be done, but the ME is not entirely a black box. The CPU architecture of the ME is known, the firmware can (and has been) dumped and analysed (though not all modules as some are encrypted).
So, it's a possible attack vector, the but effort required is much higher than building persistent UEFI malware. I don't think anyone would go to the effort to build an ME rootkit when they could just do it in UEFI.
> collaboration between Intel and three letter agencies.
thats part and parcel for any large US-based IT company these days.
> since the ME firmware is stored on SPI flash,
When you're Intel, you make the IC's and you can put whatever you want in there. If they were in bed with TLA's, I'd expect the pilfered keys would be stored in a sliver of NVM gates deep inside the die (in which chip, I can't say, perhaps in the CPU itself) (and probably encrypted with their own secret key). That's why I suggest that it would be easy to overwrite them just by constantly running aes with fresh random keys.
Yes, and this is possible, though I would consider the possibility remote.
This would require collaboration between Intel and three letter agencies. Additionally, since the ME firmware is stored on SPI flash, anyone who suspected their ME might be eavesdropping could contact a researcher to dump their firmware for analysis. So I highly doubt Intel would be shipping this functionality in every ME firmware release.
Deployment would likely be targeted against a specific individual/group.
I'm not saying it couldn't be done, but the ME is not entirely a black box. The CPU architecture of the ME is known, the firmware can (and has been) dumped and analysed (though not all modules as some are encrypted).
So, it's a possible attack vector, the but effort required is much higher than building persistent UEFI malware. I don't think anyone would go to the effort to build an ME rootkit when they could just do it in UEFI.