rootkit is defined by google search as "a set of software tools that enable an unauthorized user to gain control of a computer system without being detected."
* A set of software tools: Check
* Unauthorized user: Check Caveat: user is not authorized by you, but by someone else (Intel)
* Gain control of a computer system without being detected. Can access your machine while it appears to be "powered off" but plugged in. Has full access to RAM. Can draw undetected on top of screen. Can read screen. Check.
So. Does this qualify the Management Engine as a rootkit? It meets the definition. Just because the rootkit is installed by the manufacturer doesn't make it less of one.
Some of the paranoia around ME is the possibility of undocumented commands or magic byte sequences in software or via network interface that give an attacker invisible control of the ME without the user enabling AMT. The NIC is probably still powered and active for WoL.
It's also conceivable that a state-level adversary could have hidden arbitrary DMA instructions in a NIC firmware, that only activate with a signed request embedded in a random packet. Some of the largest firmware blobs on Linux systems are for NICs.
Most people aren't facing state-level targeted attacks, but without open firmware, it's nearly impossible to know for sure if one is vulnerable. And, with botnets and worms, it only takes one non-state-level attacker discovering the backdoor for everyone to be affected.
This attack could be used indefinite times to compromise the Intel’s AMT remote provisioning process and subverts the security of the non configured PCs that include the AMT functionality even while it is disabled within the BIOS configuration as presented in section 3.7.6.
AMT is always active, even if you've set it to "Disabled" and can be remotely activated. Again, without your authorization.
* A set of software tools: Check
* Unauthorized user: Check Caveat: user is not authorized by you, but by someone else (Intel)
* Gain control of a computer system without being detected. Can access your machine while it appears to be "powered off" but plugged in. Has full access to RAM. Can draw undetected on top of screen. Can read screen. Check.
So. Does this qualify the Management Engine as a rootkit? It meets the definition. Just because the rootkit is installed by the manufacturer doesn't make it less of one.