0:02 You think your phone or laptop shuts
0:04 down when you hit power? It doesn't.
0:06 Every modern device has a tiny hidden
0:08 computer with its own power source, and
0:10 it keeps running even when you think
0:13 it's off. These chips aren't optional.
0:14 They're built into pretty much every
0:17 phone, laptop, and even TVs. You can't
0:19 buy new hardware without them. And the
0:21 wildest part is that you can't see what
0:23 they do. You can't turn them off, and
0:25 they can still talk to the outside
0:26 world. In this video, I'm going to show
0:29 you why these secret systems exist, how
0:30 they've already been hacked, and what
0:32 you can do about it. I spent months
0:34 digging into the details so you don't
0:36 have to. And today, I'll show you why it
0:38 matters and what you can actually do
0:40 about it. You close your laptop, the
0:42 screen goes dark, you're done for the
0:44 day, right? Not exactly. There's still
0:46 something running. Not sleep mode or
0:49 hibernation. It's a second computer
0:51 inside of yours that stays awake. It has
0:54 its own processor, memory, and even its
0:57 own operating system. So, why would
1:00 anyone build that? Let's rewind. Back in
1:02 the early 2000s, managing company
1:05 computers was a disaster. Laptops froze
1:07 mid meeting. People forgot passwords,
1:09 and if something broke, it had to
1:11 physically show up and fix it every
1:13 single time. So, how did the company
1:15 Intel fixed that? With a hidden chip
1:18 built into every machine. They called it
1:20 the management engine. And this thing
1:21 didn't just run when your computer was
1:23 on. It stayed active whenever standby
1:26 power was present, even when the main
1:28 CPU was shut down. With his own
1:30 firmware, network stack and processor,
1:32 it could reinstall your operating
1:35 system, reset a password, or wipe a
1:37 drive completely remotely. For IT
1:39 departments, it was a gamecher. But for
1:41 everyone else, it quietly killed the
1:43 idea that you could ever fully turn your
1:45 machine off. Once Intel started, it
1:47 didn't take long before everyone else
1:49 jumped in. AMD has one that acts like a
1:51 gatekeeper. If it doesn't approve your
1:53 firmware, your computer won't even
1:54 start. Apple has one that holds your
1:57 Face ID and payment keys. Even if iOS
1:59 itself gets hacked, that chip is still
2:01 in charge. And in most Android phones,
2:03 RIM's trust zone runs like a second
2:05 operating system under the hood. Android
2:08 doesn't control it, Android has to ask
2:10 it for permission. Security researchers
2:12 group these hidden systems under a name
2:15 you'll hear a lot. Trusted execution
2:18 environment or TEES. They're basically
2:20 fieldoff computers inside your computer
2:22 that decide what runs, what doesn't, and
2:24 who gets access before you ever touch
2:26 the keyboard. These aren't little
2:28 add-ons. They're entire many computers
2:31 running in parallel to yours. And the
2:32 most shocking part, your device
2:35 literally cannot function without it. On
2:37 paper, these chips are supposed to be
2:39 about your safety. But here's the catch.
2:41 They don't just protect. They decide.
2:43 They choose what firmware boots. They
2:45 enforce signed code. And they hold the
2:48 keys your entire device depends on. You
2:50 can't inspect them. You can't disable
2:53 them. You can't bypass them. So if that
2:55 hidden chip makes a decision you don't
2:58 agree with, what then? What happens when
2:59 the most powerful computer in your
3:01 device doesn't answer to you? Your
3:03 operating system doesn't boot first.
3:05 It's not even second. Before anything
3:07 lights up on your screen, a hidden
3:09 processor already made the decisions.
3:11 Who gets access? What runs? What
3:13 doesn't? And this isn't just one device.
3:15 This layer of invisible gatekeeping is
3:17 baked into almost every machine you
3:20 touch. So, the real question is, who is
3:22 this actually working for? Let's talk
3:23 about what runs before your operating
3:26 system even gets a chance. Intel's
3:28 management engine, AMD's platform
3:30 security processor, Apple's secure
3:33 enclave, all of them wake up first. They
3:34 check if your firmware is allowed to
3:36 boot. If it fails the cryptographic
3:38 check, that's it. You're locked out. It
3:40 doesn't matter if you wrote the code
3:41 yourself. And these aren't things you
3:43 can just uninstall. They're soldered
3:45 into the motherboard. They've got their
3:47 own power, their own execution
3:49 environment, even if the main CPU is cut
3:51 off. Many of these chips remain powered
3:53 as long as the board has standby
3:55 current. And if you try to push back,
3:57 good luck. These systems are locked down
3:59 on purpose. If you try to flash your own
4:00 firmware, you're going to need a vendor
4:02 key. If you try to break out a trust
4:04 zone, your Android phone might just
4:06 break. And if you want to see how
4:08 Apple's Secure Enclave handles your face
4:10 scan, your wallet, and your keys, you
4:11 just can't. Apple doesn't release the
4:13 source code, and no one outside of the
4:16 company can audit it. These systems are
4:18 designed to be out of reach on purpose.
4:20 So, in the name of security, you're now
4:22 a guest on your own hardware. Your
4:25 laptop, your phone, your tablet, they're
4:27 not single computers anymore. They're
4:29 layers, stacks of machines, each one
4:31 more privileged than the last. And the
4:33 one that you interact with, the one that
4:35 you think you own, that's the least
4:37 powerful of them all. At the top is you,
4:39 but underneath you've got subsystems
4:41 that don't answer to you. They don't
4:43 wait for your input, and they sure as
4:45 hell don't need your permission. So, if
4:47 your device now has a second brain, what
4:49 happens when that brain starts thinking
4:51 on its own? Security researchers
4:53 actually have a way of mapping these
4:54 layers. They call them rings of
4:57 privilege. At the very top, your apps
4:59 live in ring three. Beneath that, the
5:01 operating system kernel runs in ring
5:04 zero with deep access to hardware. Go
5:06 lower and firmware like BIOS or system
5:10 management mode runs in ring 2. But then
5:12 there's ring three. That's where Intel's
5:15 management engine and AMD's PSP live. A
5:17 layer below everything you can see or
5:19 control. This buried layer, the one
5:21 below your operating system and
5:23 firmware, that's the trusted execution
5:25 environment. It's where those vendor
5:27 chips actually live. They wake up before
5:29 your operating system. They can override
5:31 your firmware and they keep running as
5:33 long as the board has power. That's why
5:35 these chips matter so much. They're not
5:38 just side features. They sit deeper than
5:40 anything you can touch. And every
5:42 restriction or lockdown that follows is
5:44 only possible because that layer 3
5:46 exists. You don't get to decide what
5:48 your device trusts. That decision has
5:50 already been made by someone else. And
5:51 once a vendor has the power to deny your
5:54 firmware, block your OS, or revoke your
5:56 access, they can just use that power for
5:58 more than just security. So what happens
6:00 when untrusted quietly becomes
6:03 unauthorized? Take secure boot. On the
6:04 surface, it sounds like it's protecting
6:06 you, but in reality, it's protecting the
6:09 vendor's ideas of what your machine
6:11 should run. For example, Windows secure
6:14 boot only accepts Microsoft signed code.
6:16 If your BIOS doesn't find the right
6:17 certificate, your operating system won't
6:20 even launch. And what if you want to
6:22 dual boot or customize or run some weird
6:24 little Linux dro you compiled yourself?
6:26 Too bad. If you have the wrong key,
6:28 you're blocked. Try flashing your own
6:30 firmware on a ThinkPad. It gets soft
6:32 breaks. And if a government actor
6:34 tampers with your system, don't expect
6:36 an alert. These checks were not designed
6:39 for you. They were designed to protect
6:41 the supply chain. This is the slippery
6:44 slope. It started as malware prevention.
6:46 Then it was used to fight piracy. Then
6:49 came regional locks. Now, some BIOSes
6:50 won't even let you roll back to an older
6:53 version. Apple takes it further. Replace
6:54 an iPhone part with something third
6:56 party, and the system can refuse it,
6:59 framed as safety. If you try to root
7:01 your Android, some models won't boot.
7:03 And with Chrome OS, verified boot is
7:07 locked on by default with no opt out.
7:09 And none of this is theoretical. Just a
7:10 few years ago, Brazil's Supreme Court
7:12 ordered Apple to allow side loading
7:15 apps. Apple simply refused. Not because
7:17 one specific chip directly blocked
7:18 sideloading, but because the entire
7:20 hardware stack, secure boot plus a
7:22 secure enclave made Apple's rules nearly
7:24 impossible to override. And notice,
7:26 you're not in that decision loop. So,
7:28 let's break it down. If a chip inside
7:30 your device can deny your firmware, if
7:32 your operating system won't load without
7:34 the vendor's blessing, if your repairs
7:36 get blocked at the hardware level, then
7:39 what do you really own? At that point,
7:40 you're using a machine that's secure
7:42 against you but not for you. And if
7:44 every device you buy is enforcing
7:46 someone else's policy, how long before
7:48 those policies stop reflecting you at
7:50 all? These hidden chips were supposed to
7:52 make your devices safer. But what
7:53 happens when the part of your computer
7:55 you can't even see gets compromised?
7:57 Let's give you a few real world
8:00 examples. A few years back, researchers
8:02 found a flaw in Intel's hidden chip that
8:04 gave hackers almost god mode access to
8:06 millions of computers. They could bypass
8:09 the operating system, bypass anti virus,
8:11 and take control at a level you'd never
8:14 see. Even worse, this chip doesn't fully
8:16 turn off. So, people started asking,
8:18 could someone actually hijack a laptop
8:20 that looks powered down? And Intel
8:23 wasn't alone. Apple's secure Enclave and
8:26 AMD security chip both had their own
8:29 serious flaws. And in Android phones,
8:30 billions of them run on a system called
8:32 Trust Zone. Google's own researchers
8:34 showed how bugs there let attackers jump
8:37 into the secure world and grab sensitive
8:39 data like fingerprint scans and DRM
8:41 keys. Here's the scary part. You
8:43 wouldn't know any of this was happening.
8:44 These chips run underneath your
8:47 operating system, invisible to you and
8:49 most security tools. And because you
8:50 can't remove them, you're stuck hoping
8:52 that the vendor patches the hole and
8:55 that they even admit that it exists in
8:57 the first place. So, what happens when
9:00 the most trusted part of your machine is
9:03 also the least inspectable? You shut
9:05 your device down, unplug it, maybe even
9:07 pull out the battery, and that hidden
9:09 chip, it's still running. You can't
9:10 remove it without killing the whole
9:12 machine. So, what can you actually do
9:14 when the leash is baked into the
9:16 hardware itself? Well, the usual
9:18 defenses don't work. Most people think
9:20 of the basics. Run Linux, use a VPN,
9:22 encrypt your drive. And that's all good
9:24 advice, but here's the catch. Those
9:26 defenses live above the hidden chips.
9:28 And those chips operate below the
9:30 operating system in a place your tools
9:33 can't even see. If the blackbox is
9:35 compromised or just quietly enforcing
9:38 vendor policy, it can spy, leak, or lock
9:40 you out. And your anti virus, your
9:42 firewall, and your VPN will never
9:44 notice. So, say you're worried about
9:47 being tracked, and you power your phone
9:49 off. You think it makes you safe, but
9:51 inside the parts are still awake. The
9:53 bassband chip that talks to cell towers
9:55 is still listening while Trust Zone
9:57 still enforces rules. On laptops, some
10:00 systems like Apple's T2 chip keep mic
10:02 and camera controls alive even when the
10:04 lid is closed. So, no, you're not really
10:07 offline. You're just not looking at the
10:09 parts that stayed on. Here are some real
10:11 ways to push back. You can't win a
10:13 perfect victory, but you can take
10:15 ground. Choose hardware built for user
10:18 control. Laptops like Purism's Libram or
10:20 MNT's Reform. Try to strip out or
10:22 disable the hidden chips. Systems like
10:25 Raptors Talos 2 use open source hardware
10:27 without the black boxes. They're kind of
10:29 pricey, but they definitely prove that
10:32 it's possible. You can also minimize
10:34 trust. Don't put all of your eggs in one
10:37 basket. Cubes OS is a great example. It
10:38 splits your computer into isolated
10:40 compartments. If one part is
10:42 compromised, the others stay sealed off.
10:44 It's like carrying multiple laptops
10:46 inside one. Physically cut off what you
10:48 can. Use real kill switches for Wi-Fi
10:51 and mics. Flash neutralized firmware
10:54 onto IntelM if your device supports it.
10:55 Some people even keep sensitive work
10:57 airgapped on machines that never touch
11:00 the internet. Push for change. It's
11:02 political. Support right to repair and
11:04 laws that demand transparency in the
11:06 chips running your life. Because if the
11:08 rules only come from vendors, you'll
11:11 never really be in charge. So, can we
11:14 ever be free? Not completely. These
11:16 hidden processes aren't going away, but
11:18 you can carve out pockets of autonomy or
11:21 spaces where you set the rules. That
11:22 might mean a special purpose machine for
11:24 sensitive work or just choosing tools
11:27 that bleed less. The bigger fight is
11:29 making sure technology answers to users,
11:31 not just the companies that build it. If
11:34 the user isn't the customer, who is?
11:37 Your laptop, phone, even your TV. On the
11:39 surface, they're yours. But look closer
11:41 and you'll see something uncomfortable.
11:44 Your device doesn't actually serve you.
11:46 The loyalty isn't to you. Modern
11:49 hardware isn't neutral. And your CPU
11:50 won't run unless the vendor approves the
11:53 firmware. Your bootloader refuses
11:54 anything unauthorized, even if you wrote
11:57 it yourself. And your GPU might not even
11:58 start up without the manufacturer's
12:00 signature. It's not that you can't own
12:02 your own machine. It's said that the
12:04 rules are set so you'd never truly do.
12:06 And vendors love to frame this as
12:08 protection. Secure boot, trusted
12:10 hardware, locked environments. But
12:12 protection for who? Secure boot can
12:15 block malware, but it can just as easily
12:17 block Linux. A safety feature can also
12:20 enforce app store monopolies. A chip
12:21 that verifies hardware parts can just as
12:24 easily reject third party repairs.
12:26 Security isn't always about you.
12:27 Sometimes it's about keeping you in
12:30 line. And when the system doesn't answer
12:32 to you, who does it answer to? Think
12:34 about it. Laptops that silently force
12:36 BIOS updates. Phones that install apps
12:39 remotely for your convenience. Smart TVs
12:41 that send back your viewing habits
12:43 whether you said yes or not. And we did
12:45 a video on that a couple weeks ago.
12:47 These aren't bugs, they're features.
12:48 Features that serve the vendor, the
12:51 advertiser, or the platform. Everyone
12:54 but you. So, who's really in control? If
12:56 your machine can wake itself, deny your
12:58 code, and report your activity, then
13:00 who's the real owner? Not you. You're
13:02 not the customer in this equation. and
13:04 you're the product. The loyalty of these
13:06 hidden systems isn't to the user. It's
13:08 to the supply chain, the vendor, and
13:11 sometimes the state. So, if the most
13:13 powerful parts of your computer don't
13:16 answer to you, you have to ask, who are
Chrome Extension