Before I begin, I want to clarify that this is purely speculation as well as my own opinion. My opinion is biased to view censorship and surveillance in a negative light. As such, my opinion will reflect this.
Since 2008, there's been a so-called "rootkit" or "backdoor" in all Intel CPUs. Rumours have it that Intel has secret access to your entire device, that it can remotely connect to your computer, even with it turned off. The rumours go as far as to say that the CIA may be involved in developing this "backdoor". Are these rumours true? It's complicated. Should you be concerned? I'll get back to that.
Intel Management Engine
Intel Management Engine is, according to Intel, "an embedded microcontroller [...] running a lightweight [...] operating system that provides a variety of features and services for Intel® [CPUs]."[1]. In summary, it's a CPU inside your CPU. It has access to a large amount of your system, running at Ring -3 level.
A Brief Tangent On Rings
In operating system development, every part of the operating system is placed under a different "protection ring". It ensures that access violations, which can potentially cause system instability, do not happen as often.
As you can see, the kernel (part of the OS that handles low-level operations such as drivers) runs at "Ring 0", the highest level, while applications run at ring 3. This ensures that programs or drivers don't try to access anything they're not allowed to in a safe manner. However, there are technically rings above the kernel, as the BIOS (Basic Input-Output System) of your computer technically has access to the entire system, as it facilitates booting into the operating system itself and sits over the top of it.
Rings -1 and -2 are the BIOS, but some claim that Intel's Management Engine runs at -3, even higher than even the BIOS itself. Such a privilege level is scary, but what can the IME Do?
IME'S Capabilities
According to some random guy on Stack Exchange (who didn't provide any sources)[2], IME:
Has its own TCP/IP Stack, which allows it to perform networking separately from the OS, which cannot manage it.
Can read keystrokes from PS/2 peripherals (chances are you use USB)
It can access your CPU's video memory (VRAM). This means it can (theoretically) see your screen, but if you have a dedicated GPU, this is unlikely.
It can communicate with your computer's Network Interface Card (NIC), which allows it to access the Internet.
If your BIOS allows it, it can even access the entire memory (RAM).
These capabilities are scary-sounding, but what are they for? Why does some random microcontroller have access to so much of your system?
What IME Does
Intel's blog post[3] lists the following things that IME does:
Low-power, out-of-band (OOB) management services.
Capability Licensing Service (CLS).
Anti-Theft Protection.
Protected Audio Video Path (PAVP).
These are all super vague, and it's on purpose. However, the main purpose of the IME is Intel Active Management Technology.
Intel Active Management Technology
Intel AMT is essentially a form of Out-Of-Band diagnostics toolkit for Intel CPU's. It a uses TLS-encrypted web interface and is intended for updating and repairing computer systems. ("Out-Of-Band" refers to outside of the control of software.) These can be accessed even when the device is sleeping.
AMT supports a wide variety of features, including:
The Afforementioned web interface.
The ability for a wired PC to connect to an IT console over the LAN.
Remote power on/off or rebooting.
Serial over LAN. Allows for sending input to the serial port over the LAN. Probably useful for somebody, but serial ports are dead.
KVM (Keyboard, Video, Mouse) Over IP (Internet Protocol). Basically, a remote desktop interface.
A persistent log stored in protected memory (not your hard drive!)
Laptops also support Wi-Fi and Cisco Voice over WLAN.
Safe to say, AMT is very useful to IT admins who know what they're doing. However, a majority of computers are located at home, where such a service is useless. This has generated speculation that Intel has a backdoor conveniently disguised as an IT administration feature. How likely is that?
Security Through Obscurity
Another security concept is Security Through Obscurity. The idea behind STO is to hide the nature of a system so that people do not know how it works and therefore cannot exploit it. All proprietary applications work in this way. Microsoft don't hand out the source tree for their Windows releases, because it would allow people to find and take advantage of unpatched security holes in the system.
How does this relate to Intel? Intel aren't saying much about IME. A lot of old documentation has been removed from their website, and they refuse to explain anything.
This can be concerning, and, most importantly, the strategy is flawed. Incredibly so. So much so that-
Actual Rootkits Exploiting IME Exist
Intel Management Engine is flawed. In fact, Intel keeps track of several vulnerabilities that IME has had over the years, and even lists them in the manual for a utility for checking if you're vulnerable to them:
I ran the test, and I'm apparently vulnerable. I'm not installing closed-source proprietary drivers that fix them, though.
The point is, there is malware that exploits IME, and it's been around for years.
Should You Be Concerned?
There is a lot of really suspicious information about IME and AMT that may suggest a potential backdoor. There is potential for an attacker, such as a black hat hacker, or a three-letter government agency, to gain control of your system even if your computer is fully secured and password protected.
Should you and I be worried? Probably not. Unless you're being targeted, there is generally no reason to be worried.
Removal
If any of this concerns you and you want to disable IME, I have sad news. Intel offers no way to disable IME by default, and the only way of doing it is through exploits. If you're interested, this GitHub repository is a good place to start. However, only fiddle with your CPU if you know what you're doing, as the CPU will refuse to boot if you mess with it incorrectly.
AMD CPUs
If you have an AMD CPU, you may be rejoicing about the fact that you don't have IME. Unfortunately, AMD does have something very similar, and that isn't able to be disabled either.
Your Options
You have a few options, now that you have been armed with this knowledge of the Intel Management Engine.
Nothing
Just don't do anything. This isn't a critical issue for you, so why bother?
Get An Older CPU
The last generation of Intel CPU that didn't have Intel ME was the Intel Core 2. Unfortunately, those CPU's are 16 years old and relying on them is a bad idea. However, Gentoo Linux can run on a 486 CPU, so maybe you can add Ubuntu or something onto it and use it normally.
For AMD CPUs, the Athlon 64 generation is the way to go.
Disable It
This is a good option if you know how. However, amateurs should not try it. You can easily render your CPU useless, and Intel will be highly unlikely to want to help once they hear what you did to it.
Open-Source Hardware
Yes, open-source CPU's are a thing. This list on Wikipedia may be a decent starting point. However, if you want a fast CPU or an x86-64 one, forget about it. There is not enough demand for open-source gaming CPUs for anyone to manufacture them. You could also make your own. After all, RISC-V is open-source, and a lot of Linux distros support it.
My Stance
I do not like the idea of a potential backdoor in my CPU, but I do feel pretty powerless to stop it. On top of this, my CPU is slow enough, I'm not going out of my way to make it even slower to mitigate it.
Conclusion
To conclude, both Intel and AMD ship a feature with all of their CPUs that is basically a security vulnerability. You can't do much about it, and Intel don't seem to want to fix it. The most I can say is to update your Intel Management Engine drivers.
I swear that every article is better than the last one. I suppose that's why I press publish.