Actually it's not the CPU you need to be worried about.
Earlier this year at 44Café in London I did a talk in which I dropped about 16 bugs in SuperMicro's IPMI BMC implementation (through the medium of a drinking game), some of which were picked up by Farmer and Moore's recent research into IPMI, some not[1]. The Baseboard Management Controller (BMC) is a completely separate computer, often running unmaintained Linux firmware that has full South-Bridge and i2c access to your computer's memory. Basically it has Direct Memory Access (DMA) but your computer doesn't appear to going the other way around (although I haven't investigated this yet).
The board I looked at ran an ARM chipset and a custom Linux distro built by an OEM called ATEN[1] and customised by SuperMicro. It's not that the system appears to be phoning home, it's more that there are a lot of bugs and defaults in the implementation, and compromising this allows you to compromise the underlying server.
For desktop and laptop systems you don't usually have IPMI, so no BMC. Instead you have intel's iAMT which is very similar in some respects. There's some really fantastic research done in this space by Patrick Stewin and Iurii Bystrov[3] who have implemented a hardware keylogger. I've been in contact with them and they've updated their work since publishing the paper and intend to present the results at the 44CON[4] security conference in London this September.
Again it's not a case of these chips phoning home per se but a non-well documented nor well-publicised attack surface with real-world implications for espionage and malware.
Disclaimer: I'm one of the co-founders and co-organisers of 44Con.
There are also similar implications for the baseband firmware (the part that deals with the signaling towers etc) in cellphones. Not a single phone on the market has an open source baseband OS.
Isn't it a common practice to keep IPMI out of reach of the Internet? At the time I worked with an ISP all management interfaces were connected to a separate network and the only means of accessing it remotely was through a VPN...
Especially in a large company, it's not that hard for a determined attacker to get something plugged into a network jack. If the management network goes to employee desks, then you can plug whatever you want into it.
Unless vPro is authenticating with 802.11x and you're actually using different passwords for every management interface, a professional cold probably find his way onto that subnet.
From what I've seen, most of the newer ipmi gear including the dedicated port ones include a standardized i2c interface between the platform controller/ec side (the main server) and the BMC - while it has in most cases similar authentication requirements as the typical ipmi over lan, once you've gotten past that you pretty much can run any ipmi commands, including getting raw access to its private i2c bus which I would assume attaches to its bootstrap flash. Once you're that far in bridging between the two nets would just entail writing some (non trivial) software.
It's sound common sense to keep this stuff from the Internet but looking through the Internet census I found hundreds of thousands of candidate matches for SuperMicro BMC instances. It seems to be popular in hosting circles, which might explain why it shows up so much.
If you don't connect it, they tend to default to sharing an interface with your primary LAN connection. They also default to DHCP, so if you're unaware of the need to use/secure it they will be exposed to the internet.
Earlier this year at 44Café in London I did a talk in which I dropped about 16 bugs in SuperMicro's IPMI BMC implementation (through the medium of a drinking game), some of which were picked up by Farmer and Moore's recent research into IPMI, some not[1]. The Baseboard Management Controller (BMC) is a completely separate computer, often running unmaintained Linux firmware that has full South-Bridge and i2c access to your computer's memory. Basically it has Direct Memory Access (DMA) but your computer doesn't appear to going the other way around (although I haven't investigated this yet).
The board I looked at ran an ARM chipset and a custom Linux distro built by an OEM called ATEN[1] and customised by SuperMicro. It's not that the system appears to be phoning home, it's more that there are a lot of bugs and defaults in the implementation, and compromising this allows you to compromise the underlying server.
For desktop and laptop systems you don't usually have IPMI, so no BMC. Instead you have intel's iAMT which is very similar in some respects. There's some really fantastic research done in this space by Patrick Stewin and Iurii Bystrov[3] who have implemented a hardware keylogger. I've been in contact with them and they've updated their work since publishing the paper and intend to present the results at the 44CON[4] security conference in London this September.
Again it's not a case of these chips phoning home per se but a non-well documented nor well-publicised attack surface with real-world implications for espionage and malware.
Disclaimer: I'm one of the co-founders and co-organisers of 44Con.
[1] - http://www.wired.com/threatlevel/2013/07/ipmi/
[2] - http://www.aten.com/IPMI.htm
[3] - http://stewin.org/papers/dimvap15-stewin.pdf
[4] - http://www.44con.com/