fbpx
Wikipedia

Intel Active Management Technology

October 23, 2023

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers,[1][2] running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems.[1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.[1]

A part of the Intel AMT web management interface, accessible even when the computer is sleeping

Hardware-based management works at a different level from software applications, and uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or a locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.[3] AMT is not intended to be used by itself; it is intended to be used alongside a software management application.[1] It gives a management application (and thus, the system administrator who uses it) access to the PC down the wire, in order to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.[1][4][5]

AMT is designed into a service processor located on the motherboard, and uses TLS-secured communication and strong encryption to provide additional security.[6] AMT is built into PCs with Intel vPro technology and is based on the Intel Management Engine (ME).[6] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management.[7] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.

Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i5, Core i7, Core i9 and Intel Xeon E3-1000, Xeon E, Xeon W-1000 product family.[1][8][9] AMT also requires an Intel networking card and the corporate version of the Intel Management Engine binary.[10]

Intel confirmed a Remote Elevation of Privilege bug (CVE-2017-5689, SA-00075) in its Management Technology on May 1, 2017.[11] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME.[12][13] Some manufacturers, like Purism[14] and System76[15] are already selling hardware with Intel Management Engine disabled to prevent the remote exploit. Additional major security flaws in the ME affecting a very large number of computers incorporating Management Engine, Trusted Execution Engine, and Server Platform Services firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on November 20, 2017 (SA-00086).

Non-free service access Edit

Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor (ISV) or value added reseller (VAR).

Intel itself provides a developer's toolkit software package which allows basic access to iAMT, but is not intended to be normally used to access the technology.[16] Only basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system.[17]

Features Edit

Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that enable independent remote access to AMT-enabled PCs.[5] Intel AMT is security and management technology that is built into PCs with Intel vPro technology.[1]

Intel AMT uses a hardware-based out-of-band (OOB) communication channel[1] that operates regardless of the presence of a working operating system. The communication channel is independent of the PC's power state, the presence of a management agent, and the state of many hardware components such as hard disk drives and memory.

Most AMT features are available OOB, regardless of PC power state.[1] Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering).[1] Intel AMT has remote power-up capability.

Hardware-based features can be combined with scripting to automate maintenance and service.[1]

Hardware-based AMT features on laptop and desktop PCs include:

  • Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.[6]
  • Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console.[1][6] Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
  • Remote power up / power down / power cycle through encrypted WOL.[1]
  • Remote boot, via integrated device electronics redirect (IDE-R).[6]
  • Console redirection, via serial over LAN (SOL).[1]
  • Keyboard, video, mouse (KVM) over network.
  • Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.[18]
  • Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.[1][6][18]
  • Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; and this can also generate an alert.[1][6][18]
  • OOB alerting.[1]
  • Persistent event log, stored in protected memory (not on the hard drive).[6]
  • Access (preboot) the PC's universal unique identifier (UUID).[1]
  • Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).[6]
  • Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.[1]
  • Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.[1][6][19]
  • Protected Audio/Video Pathway for playback protection of DRM-protected media.

Laptops with AMT also include wireless technologies:

History Edit

Main article: Intel AMT versions

Software updates provide upgrades to the next minor version of Intel AMT. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.[6]

Applications Edit

Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed.[1][6] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.[1][6]

Intel AMT supports these management tasks:

  • Remotely power up, power down, power cycle, and power reset the computer.[1]
  • Remote boot the PC by remotely redirecting the PC's boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM or DVD, remediation drive, or other boot device.[1][5] This feature supports remote booting a PC that has a corrupted or missing OS.
  • Remotely redirect the system's I/O via console redirection through serial over LAN (SOL).[1] This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
  • Access and change BIOS settings remotely.[1] This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
  • Detect suspicious network traffic.[1][18] In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs[citation needed]).
  • Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats.[1][18] This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
  • Manage hardware packet filters in the on-board network adapter.[1][18]
  • Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer.[1][18] A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
  • Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack has been attempted).[1] An alert can be issued on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
  • Access a persistent event log, stored in protected memory.[1] The event log is available OOB, even if the OS is down or the hardware has already failed.
  • Discover an AMT system independently of the PC's power state or OS state.[1] Discovery (preboot access to the UUID) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
  • Perform a software inventory or access information about software on the PC.[1] This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated.
  • Perform a hardware inventory by uploading the remote PC's hardware asset list (platform, baseboard management controller, BIOS, processor, memory, disks, portable batteries, field replaceable units, and other information).[1] Hardware asset information is updated every time the system runs through power-on self-test (POST).

From major version 6, Intel AMT embeds a proprietary VNC server, for out-of-band access using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle – including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Provisioning and integration Edit

AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning ("one-touch" provisioning), manual provisioning[1] and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT.[19]

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.)[5] Remote deployment, until recently, was only possible within a corporate network.[22] Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically.[1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.[23] As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods.[24]

PCs can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build.[19]

AMT includes a Privacy Icon application, called IMSS,[25] that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.[1][23][26][27]

AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings.[28] A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.

Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:

  • Using the remote configuration process (full automated, remote config via certificates and keys).[1]
  • Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.[1]

There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways:

Setup and integration of AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.

Communication Edit

All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware.[1] AMT communication depends on the state of the Management Engine, not the state of the PC's OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.[1] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.

Intel AMT supports wired and wireless networks.[1][8][20][29] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.[1][30] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.[1][31] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.

Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company's management servers.[1]

Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.[1]

Design Edit

Hardware Edit

Main article: Intel Management Engine

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33]

Starting with ME 11, it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34] Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS from Express Logic. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor could also execute signed Java applets.

The ME shares the same network interface and IP as the host system. Traffic is routed based on packets to ports 16992–16995. Support exists in various Intel Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36] The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei[33] or more recently[37] /dev/mei0.[38]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[39] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[40][41]

Firmware Edit

  • Management Engine (ME) - mainstream chipsets
  • Server Platform Services (SPS) - server
  • Trusted Execution Engine (TXE) - tablet/mobile/low power

Security Edit

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.[1][6]

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.[1][6][42]

Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date by the operating system's normal update mechanism. Security defects in the AMT software can therefore be particularly severe, as they will remain long after they have been discovered and become known to potential attackers.

On May 15, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies".[43] Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices.

Networking Edit

While some protocols for in-band remote management use a secured network communication channel (for example Secure Shell), some other protocols are not secured. Thus some businesses have had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.[1]

Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.[1]

All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:

  • The network can verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network.
  • PXE boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network.

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.[1][6] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.

Support for different security postures depends on the AMT release:

Technology Edit

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.[1][6][42] AMT security technologies and methodologies include:

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

Known vulnerabilities and exploits Edit

See also: Intel Management Engine § Security vulnerabilities

Ring −3 rootkit Edit

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset, as Intel implemented additional protections.[46] The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits.[39]) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.[47][48]

Zero-touch provisioning Edit

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.[49]

Silent Bob is Silent Edit

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege-escalation vulnerability (CVE-2017-5689).[13][50][11][51][52] The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel,[53] affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and possibly others.[53][54][55][56][57][58][59] Those researchers claimed that the bug affects systems made in 2010 or later.[60] Other reports claimed that the bug also affects systems made as long ago as 2008.[61][13] The vulnerability was described as giving remote attackers:

full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data.

— Tatu Ylönen, ssh.com[53]

The remote user authorization process included a programmer error: it compared the user-given authorization token hash (user_response) to the true value of the hash (computed_response) using this code: 

strncmp(computed_response, user_response, response_length)

The vulnerability was that response_length was the length of the user-given token and not of the true token.

Since the third argument for strncmp is the length of the two strings to be compared, if it is less than the length of computed_response, only a part of the string will be tested for equality. Specifically, if user_response is the empty string (with length 0), this "comparison" will always return true, and thus validate the user. This allowed any person to simply log into the admin account on the devices by editing their sent HTTP packet to use the empty string as the response field's value.

PLATINUM Edit

In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.[62][63][64][65][66][67][68][69]

SA-00086 Edit

In November 2017 serious flaws were detected in the Management Engine (ME) firmware by security firm Positive Technologies, who claimed to have developed a working exploit of this system for someone having physical access to a USB port.[70] On November 20, 2017, Intel confirmed that a number of serious flaws had been found in the Management Engine, Trusted Execution Engine, Server Platform Services and released a "critical firmware update".[71][72]

Avoidance and mitigation Edit

PCs with AMT typically provide an option in the BIOS menu to switch off AMT, though OEMs implement BIOS features differently,[73] and therefore the BIOS is not a reliable method to switch off AMT. Intel-based PCs that shipped without AMT are not supposed to be able to have AMT installed later. However, as long as the PC's hardware is potentially capable of running the AMT, it is unclear how effective these protections are.[74][75][76] Presently, there are mitigation guides[77] and tools[78] to disable AMT on Windows, but Linux has only received a tool to check whether AMT is enabled and provisioned on Linux systems.[79] The only way to actually fix this vulnerability is to install a firmware update. Intel has made a list of updates available.[80] Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on, unless it is not enabled at all by the OEM.[81][82]

In 2015, a small number of competing vendors began to offer Intel-based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns.[83][84][85][86][10][87][88]

See also Edit

References Edit

  1. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc bd (PDF). Intel. 2008. Archived from the original (PDF) on December 6, 2008. Retrieved August 7, 2008.
  2. ^ "Intel vPro Chipset Lures MSPs, System Builders". ChannelWeb. Retrieved August 1, 2007.
  3. ^ "A new dawn for remote management? A first glimpse at Intel's vPro platform". ars technica. February 6, 2007. Retrieved November 7, 2007.
  4. ^ "Remote Pc Management with Intel's vPro". Tom's Hardware Guide. April 26, 2007. Retrieved November 21, 2007.
  5. ^ a b c d . Gartner. Archived from the original on July 23, 2008. Retrieved August 7, 2008.
  6. ^ a b c d e f g h i j k l m n o p q . Intel. June 26, 2008. Archived from the original on October 19, 2008. Retrieved August 12, 2008.
  7. ^ . Archived from the original on April 14, 2012. Retrieved April 30, 2012.{{cite web}}: CS1 maint: archived copy as title (link)
  8. ^ a b (PDF). Intel. Archived from the original (PDF) on March 15, 2008. Retrieved July 15, 2008.
  9. ^ "Intel MSP". Msp.intel.com. Retrieved May 25, 2016.
  10. ^ a b "Purism Explains Why It Avoids Intel's AMT And Networking Cards For Its Privacy-Focused 'Librem' Notebooks". Tom's Hardware. August 29, 2016. Retrieved May 10, 2017.
  11. ^ a b "Intel® Product Security Center". Security-center.intel.com. Retrieved May 7, 2017.
  12. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate. Retrieved May 7, 2017.
  13. ^ a b c "Red alert! Intel patches remote execution hole that's been hidden in chips since 2010". Theregister.co.uk. Retrieved May 7, 2017.
  14. ^ HardOCP: Purism Is Offering Laptops with Intel's Management Engine Disabled
  15. ^ System76 to disable Intel Management Engine on its notebooks
  16. ^ Garrison, Justin (March 28, 2011). "How to Remotely Control Your PC (Even When it Crashes)". Howtogeek.com. Retrieved May 7, 2017.
  17. ^ "Open Manageability Developer Tool Kit | Intel® Software". Software.intel.com. Retrieved May 7, 2017.
  18. ^ a b c d e f g "Intel Active Management Technology System Defense and Agent Presence Overview" (PDF). Intel. February 2007. Retrieved August 16, 2008.
  19. ^ a b c . Intel. Archived from the original on March 15, 2008. Retrieved June 30, 2008.
  20. ^ a b . Intel. Archived from the original on July 17, 2008. Retrieved July 15, 2008.
  21. ^ . Intel. Archived from the original on March 26, 2008. Retrieved August 14, 2008.
  22. ^ "Intel® vPro™ Technology". Intel.
  23. ^ a b "Part 3: Post Deployment of Intel vPro in an Altiris Environment: Enabling and Configuring Delayed Provisioning". Intel (forum). Retrieved September 12, 2008.
  24. ^ (PDF). Archived from the original (PDF) on January 3, 2014. Retrieved July 20, 2013.{{cite web}}: CS1 maint: archived copy as title (link)
  25. ^ . Archived from the original on February 20, 2011. Retrieved December 26, 2010.
  26. ^ "Intel vPro Provisioning" (PDF). HP (Hewlett Packard). Retrieved June 2, 2008.
  27. ^ "vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Technology" (PDF). HP (Hewlett Packard). Retrieved June 2, 2008.[permanent dead link]
  28. ^ "Part 4: Post Deployment of Intel vPro in an Altiris Environment Intel: Partial UnProvDefault". Intel (forum). Retrieved September 12, 2008.
  29. ^ "Technical Considerations for Intel AMT in a Wireless Environment". Intel. September 27, 2007. Retrieved August 16, 2008.
  30. ^ "Intel Active Management Technology Setup and Configuration Service, Version 5.0" (PDF). Intel. Retrieved October 13, 2018.
  31. ^ "Intel AMT - Fast Call for Help". Intel. August 15, 2008. Archived from the original on February 11, 2009. Retrieved August 17, 2008.(Intel developer's blog)
  32. ^ . Archived from the original on January 3, 2016. Retrieved January 16, 2016.
  33. ^ a b . Archived from the original on November 1, 2014. Retrieved February 25, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  34. ^ a b Igor Skochinsky (Hex-Rays) Rootkit in your laptop, Ruxcon Breakpoint 2012
  35. ^ "Intel Ethernet Controller I210 Datasheet" (PDF). Intel. 2013. pp. 1, 15, 52, 621–776. Retrieved November 9, 2013.
  36. ^ "Intel Ethernet Controller X540 Product Brief" (PDF). Intel. 2012. Retrieved February 26, 2014.
  37. ^ "samples: mei: use /dev/mei0 instead of /dev/mei · torvalds/linux@c4a46ac". GitHub. Retrieved July 14, 2021.
  38. ^ "Introduction — The Linux Kernel documentation". www.kernel.org. Retrieved July 14, 2021.
  39. ^ a b Joanna Rutkowska. "A Quest to the Core" (PDF). Invisiblethingslab.com. Retrieved May 25, 2016.
  40. ^ (PDF). Archived from the original (PDF) on February 11, 2014. Retrieved February 26, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  41. ^ "Platforms II" (PDF). Users.nik.uni-obuda.hu. Retrieved May 25, 2016.
  42. ^ a b . Intel. August 27, 2007. Archived from the original on September 12, 2007. Retrieved August 7, 2007.
  43. ^ "Intel® AMT Critical Firmware Vulnerability". Intel. Retrieved June 10, 2017.
  44. ^ "Intel Software Network, engineer / developers forum". Intel. Archived from the original on August 13, 2011. Retrieved August 9, 2008.
  45. ^ "Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology" (PDF). Intel. 2007.
  46. ^ (PDF). Invisiblethingslab.com. Archived from the original (PDF) on April 12, 2016. Retrieved May 25, 2016.
  47. ^ (PDF). Stewin.org. Archived from the original (PDF) on March 4, 2016. Retrieved May 25, 2016.
  48. ^ (PDF). Stewin.org. Archived from the original (PDF) on March 3, 2016. Retrieved May 25, 2016.
  49. ^ "Security Evaluation of Intel's Active Management Technology" (PDF). Web.it.kth.se. Retrieved May 25, 2016.
  50. ^ . Cve.mitre.org. Archived from the original on May 5, 2017. Retrieved May 7, 2017.
  51. ^ "Intel Hidden Management Engine - x86 Security Risk?". Darknet. June 16, 2016. Retrieved May 7, 2017.
  52. ^ Garrett, Matthew (May 1, 2017). "Intel's remote AMT vulnerablity". mjg59.dreamwidth.org. Retrieved May 7, 2017.
  53. ^ a b c "2017-05-05 ALERT! Intel AMT EXPLOIT OUT! IT'S BAD! DISABLE AMT NOW!". Ssh.com\Accessdate=2017-05-07.
  54. ^ Dan Goodin (May 6, 2017). "The hijacking flaw that lurked in Intel chips is worse than anyone thought". Ars Technica. Retrieved May 8, 2017.
  55. ^ "General: BIOS updates due to Intel AMT IME vulnerability - General Hardware - Laptop - Dell Community". En.community.dell.com. May 2, 2017. Retrieved May 7, 2017.
  56. ^ "Advisory note: Intel Firmware vulnerability – Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe, Middle East, Africa & India". Support.ts.fujitsu.com. May 1, 2017. Retrieved May 8, 2017.
  57. ^ "HPE | HPE CS700 2.0 for VMware". H22208.www2.hpe.com. May 1, 2017. Retrieved May 7, 2017.
  58. ^ "Intel® Security Advisory regarding escalation o... |Intel Communities". Communities.intel.com. May 4, 2017. Retrieved May 7, 2017.
  59. ^ "Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation". Support.lenovo.com. Retrieved May 7, 2017.
  60. ^ . Embedi.com. Archived from the original on May 6, 2017. Retrieved May 7, 2017.
  61. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate.com. Retrieved May 7, 2017.
  62. ^ "Sneaky hackers use Intel management tools to bypass Windows firewall". June 9, 2017. Retrieved June 10, 2017.
  63. ^ Tung, Liam. "Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft - ZDNet". ZDNet. Retrieved June 10, 2017.
  64. ^ "PLATINUM continues to evolve, find ways to maintain invisibility". June 7, 2017. Retrieved June 10, 2017.
  65. ^ "Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls". Retrieved June 10, 2017.
  66. ^ "Hackers abuse low-level management feature for invisible backdoor". iTnews. Retrieved June 10, 2017.
  67. ^ "Vxers exploit Intel's Active Management for malware-over-LAN • The Register". www.theregister.co.uk. Retrieved June 10, 2017.
  68. ^ Security, heise. "Intel-Fernwartung AMT bei Angriffen auf PCs genutzt". Security. Retrieved June 10, 2017.
  69. ^ "PLATINUM activity group file-transfer method using Intel AMT SOL". Channel 9. Retrieved June 10, 2017.
  70. ^ Researchers find almost EVERY computer with an Intel Skylake and above CPU can be owned via USB.
  71. ^ "Intel® Management Engine Critical Firmware Update (Intel SA-00086)". Intel.
  72. ^ Newman, Lily Hay. "Intel Chip Flaws Leave Millions of Devices Exposed". Wired.
  73. ^ "Disabling AMT in BIOS". software.intel.com. December 28, 2010. Retrieved May 17, 2017.
  74. ^ "Are consumer PCs safe from the Intel ME/AMT exploit? - SemiAccurate". semiaccurate.com. May 3, 2017.
  75. ^ "Intel x86s hide another CPU that can take over your machine (you can't audit it)". Boing Boing. June 15, 2016. Retrieved May 11, 2017.
  76. ^ "[coreboot] : AMT bug". Mail.coreboot.org. May 11, 2017. Retrieved June 13, 2017.
  77. ^ "Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)". Social Media Marketing | Digital Marketing | Electronic Commerce. May 3, 2017. Retrieved May 17, 2017.
  78. ^ "bartblaze/Disable-Intel-AMT". GitHub. Retrieved May 17, 2017.
  79. ^ "mjg59/mei-amt-check". GitHub. Retrieved May 17, 2017.
  80. ^ "Intel® AMT Critical Firmware Vulnerability". Intel. Retrieved May 17, 2017.
  81. ^ . Archived from the original on August 28, 2017. Retrieved August 30, 2017.
  82. ^ "Intel Patches Major Flaws in the Intel Management Engine". Extreme Tech.
  83. ^ Vaughan-Nichols, Steven J. "Taurinus X200: Now the most 'Free Software' laptop on the planet - ZDNet". ZDNet.
  84. ^ Kißling, Kristian. "Libreboot: Thinkpad X220 ohne Management Engine » Linux-Magazin". Linux-Magazin.
  85. ^ online, heise. "Libiquity Taurinus X200: Linux-Notebook ohne Intels Management Engine". heise online.
  86. ^ "Intel AMT Vulnerability Shows Intel's Management Engine Can Be Dangerous". May 2, 2017.
  87. ^ "The Free Software Foundation loves this laptop, but you won't".
  88. ^ "FSF Endorses Yet Another (Outdated) Laptop - Phoronix". phoronix.com.

External links Edit

  • Open AMT Cloud Toolkit
  • MeshCentral2
  • Intel Manageability Commander
  • Implementing Intel AMT
  • Intel Security Center
  • Intel Active Management Technology
  • Intel vPro Expert Center
  • Intel 82573E Gigabit Ethernet Controller (Tekoa)
  • ARC4 Processor
  • AMT videos (select the desktop channel)
  • Intel vPro/AMT as a hardware antivirus
  • Intel ME Secrets: Hidden code in your chipset and how to discover what exactly it does by Igor Skochinsky, talk at Code Blue 2014
  • Using Intel AMT and the Intel NUC with Ubuntu

October 23, 2023
intel, active, management, technology, this, article, contains, content, that, written, like, advertisement, please, help, improve, removing, promotional, content, inappropriate, external, links, adding, encyclopedic, content, written, from, neutral, point, vi. This article contains content that is written like an advertisement Please help improve it by removing promotional content and inappropriate external links and by adding encyclopedic content written from a neutral point of view March 2019 Learn how and when to remove this template message Intel Active Management Technology AMT is hardware and firmware for remote out of band management of select business computers 1 2 running on the Intel Management Engine a microprocessor subsystem not exposed to the user intended for monitoring maintenance updating and repairing systems 1 Out of band OOB or hardware based management is different from software based or in band management and software management agents 1 A part of the Intel AMT web management interface accessible even when the computer is sleepingHardware based management works at a different level from software applications and uses a communication channel through the TCP IP stack that is different from software based communication which is through the software stack in the operating system Hardware based management does not depend on the presence of an OS or a locally installed management agent Hardware based management has been available on Intel AMD based computers in the past but it has largely been limited to auto configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations as well as wake on LAN WOL for remotely powering on systems 3 AMT is not intended to be used by itself it is intended to be used alongside a software management application 1 It gives a management application and thus the system administrator who uses it access to the PC down the wire in order to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it 1 4 5 AMT is designed into a service processor located on the motherboard and uses TLS secured communication and strong encryption to provide additional security 6 AMT is built into PCs with Intel vPro technology and is based on the Intel Management Engine ME 6 AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware DASH standards and AMT Release 5 1 and later releases are an implementation of DASH version 1 0 1 1 standards for out of band management 7 AMT provides similar functionality to IPMI although AMT is designed for client computing systems as compared with the typically server based IPMI Currently AMT is available in desktops servers ultrabooks tablets and laptops with Intel Core vPro processor family including Intel Core i5 Core i7 Core i9 and Intel Xeon E3 1000 Xeon E Xeon W 1000 product family 1 8 9 AMT also requires an Intel networking card and the corporate version of the Intel Management Engine binary 10 Intel confirmed a Remote Elevation of Privilege bug CVE 2017 5689 SA 00075 in its Management Technology on May 1 2017 11 Every Intel platform with either Intel Standard Manageability Active Management Technology or Small Business Technology from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME 12 13 Some manufacturers like Purism 14 and System76 15 are already selling hardware with Intel Management Engine disabled to prevent the remote exploit Additional major security flaws in the ME affecting a very large number of computers incorporating Management Engine Trusted Execution Engine and Server Platform Services firmware from Skylake in 2015 to Coffee Lake in 2017 were confirmed by Intel on November 20 2017 SA 00086 Contents 1 Non free service access 2 Features 3 History 4 Applications 5 Provisioning and integration 6 Communication 7 Design 7 1 Hardware 7 2 Firmware 8 Security 8 1 Networking 8 2 Technology 8 3 Known vulnerabilities and exploits 8 3 1 Ring 3 rootkit 8 3 2 Zero touch provisioning 8 3 3 Silent Bob is Silent 8 3 4 PLATINUM 8 3 5 SA 00086 9 Avoidance and mitigation 10 See also 11 References 12 External linksNon free service access EditAlthough iAMT may be included for free in devices sold to the public and to small businesses the full capabilities of iAMT including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients are not accessible for free to the general public or to the direct owners of iAMT equipped devices iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor ISV or value added reseller VAR Intel itself provides a developer s toolkit software package which allows basic access to iAMT but is not intended to be normally used to access the technology 16 Only basic modes of access are supported without full access to the encrypted communications of the complete purchased management system 17 Features EditIntel AMT includes hardware based remote management security power management and remote configuration features that enable independent remote access to AMT enabled PCs 5 Intel AMT is security and management technology that is built into PCs with Intel vPro technology 1 Intel AMT uses a hardware based out of band OOB communication channel 1 that operates regardless of the presence of a working operating system The communication channel is independent of the PC s power state the presence of a management agent and the state of many hardware components such as hard disk drives and memory Most AMT features are available OOB regardless of PC power state 1 Other features require the PC to be powered up such as console redirection via serial over LAN SOL agent presence checking and network traffic filtering 1 Intel AMT has remote power up capability Hardware based features can be combined with scripting to automate maintenance and service 1 Hardware based AMT features on laptop and desktop PCs include Encrypted remote communication channel for network traffic between the IT console and Intel AMT 6 Ability for a wired PC physically connected to the network outside the company s firewall on an open LAN to establish a secure communication tunnel via AMT back to the IT console 1 6 Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server Remote power up power down power cycle through encrypted WOL 1 Remote boot via integrated device electronics redirect IDE R 6 Console redirection via serial over LAN SOL 1 Keyboard video mouse KVM over network Hardware based filters for monitoring packet headers in inbound and outbound network traffic for known threats based on programmable timers and for monitoring known unknown threats based on time based heuristics Laptops and desktop PCs have filters to monitor packet headers Desktop PCs have packet header filters and time based filters 18 Isolation circuitry previously and unofficially called circuit breaker by Intel to port block rate limit or fully isolate a PC that might be compromised or infected 1 6 18 Agent presence checking via hardware based policy based programmable timers A miss generates an event and this can also generate an alert 1 6 18 OOB alerting 1 Persistent event log stored in protected memory not on the hard drive 6 Access preboot the PC s universal unique identifier UUID 1 Access preboot hardware asset information such as a component s manufacturer and model which is updated every time the system goes through power on self test POST 6 Access preboot to third party data store TPDS a protected memory area that software vendors can use in which to version information DAT files and other information 1 Remote configuration options including certificate based zero touch remote configuration USB key configuration light touch and manual configuration 1 6 19 Protected Audio Video Pathway for playback protection of DRM protected media Laptops with AMT also include wireless technologies Support for IEEE 802 11 a g n wireless protocols 20 Cisco compatible extensions for Voice over WLAN 21 History EditMain article Intel AMT versions Software updates provide upgrades to the next minor version of Intel AMT New major releases of Intel AMT are built into a new chipset and are updated through new hardware 6 Applications EditAlmost all AMT features are available even if the PC is in a powered off state but with its power cord attached if the operating system has crashed if the software agent is missing or if hardware such as a hard drive or memory has failed 1 6 The console redirection feature SOL agent presence checking and network traffic filters are available after the PC is powered up 1 6 Intel AMT supports these management tasks Remotely power up power down power cycle and power reset the computer 1 Remote boot the PC by remotely redirecting the PC s boot process causing it to boot from a different image such as a network share bootable CD ROM or DVD remediation drive or other boot device 1 5 This feature supports remote booting a PC that has a corrupted or missing OS Remotely redirect the system s I O via console redirection through serial over LAN SOL 1 This feature supports remote troubleshooting remote repair software upgrades and similar processes Access and change BIOS settings remotely 1 This feature is available even if PC power is off the OS is down or hardware has failed This feature is designed to allow remote updates and corrections of configuration settings This feature supports full BIOS updates not just changes to specific settings Detect suspicious network traffic 1 18 In laptop and desktop PCs this feature allows a sys admin to define the events that might indicate an inbound or outbound threat in a network packet header In desktop PCs this feature also supports detection of known and or unknown threats including slow and fast moving computer worms in network traffic via time based heuristics based filters Network traffic is checked before it reaches the OS so it is also checked before the OS and software applications load and after they shut down a traditionally vulnerable period for PCs citation needed Block or rate limit network traffic to and from systems suspected of being infected or compromised by computer viruses computer worms or other threats 1 18 This feature uses Intel AMT hardware based isolation circuitry that can be triggered manually remotely by the sys admin or automatically based on IT policy a specific event Manage hardware packet filters in the on board network adapter 1 18 Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable policy based hardware based timer 1 18 A miss indicates a potential problem This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs helps keep the network from being flooded by unnecessary positive event notifications Receive Platform Event Trap PET events out of band from the AMT subsystem for example events indicating that the OS is hung or crashed or that a password attack has been attempted 1 An alert can be issued on an event such as falling out of compliance in combination with agent presence checking or on a threshold such as reaching a particular fan speed Access a persistent event log stored in protected memory 1 The event log is available OOB even if the OS is down or the hardware has already failed Discover an AMT system independently of the PC s power state or OS state 1 Discovery preboot access to the UUID is available if the system is powered down its OS is compromised or down hardware such as a hard drive or memory has failed or management agents are missing Perform a software inventory or access information about software on the PC 1 This feature allows a third party software vendor to store software asset or version information for local applications in the Intel AMT protected memory This is the protected third party data store which is different from the protected AMT memory for hardware component information and other system information The third party data store can be accessed OOB by the sys admin For example an antivirus program could store version information in the protected memory that is available for third party data A computer script could use this feature to identify PCs that need to be updated Perform a hardware inventory by uploading the remote PC s hardware asset list platform baseboard management controller BIOS processor memory disks portable batteries field replaceable units and other information 1 Hardware asset information is updated every time the system runs through power on self test POST From major version 6 Intel AMT embeds a proprietary VNC server for out of band access using dedicated VNC compatible viewer technology and have full KVM keyboard video mouse capability throughout the power cycle including uninterrupted control of the desktop when an operating system loads Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform and watch certain Intel AMT operations such as powering the computer off and on configuring the BIOS and mounting a remote image IDER Provisioning and integration EditAMT supports certificate based or PSK based remote provisioning full remote deployment USB key based provisioning one touch provisioning manual provisioning 1 and provisioning using an agent on the local host Host Based Provisioning An OEM can also pre provision AMT 19 The current version of AMT supports remote deployment on both laptop and desktop PCs Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market 5 Remote deployment until recently was only possible within a corporate network 22 Remote deployment lets a sys admin deploy PCs without touching the systems physically 1 It also allows a sys admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console 23 As delivery and deployment models evolve AMT can now be deployed over the Internet using both Zero Touch and Host Based methods 24 PCs can be sold with AMT enabled or disabled The OEM determines whether to ship AMT with the capabilities ready for setup enabled or disabled The setup and configuration process may vary depending on the OEM build 19 AMT includes a Privacy Icon application called IMSS 25 that notifies the system s user if AMT is enabled It is up to the OEM to decide whether they want to display the icon or not AMT supports different methods for disabling the management and security technology as well as different methods for reenabling the technology 1 23 26 27 AMT can be partially unprovisioned using the Configuration Settings or fully unprovisioned by erasing all configuration settings security credentials and operational and networking settings 28 A partial unprovisioning leaves the PC in the setup state In this state the PC can self initiate its automated remote configuration process A full unprovisioning erases the configuration profile as well as the security credentials and operational networking settings required to communicate with the Intel Management Engine A full unprovisioning returns Intel AMT to its factory default state Once AMT is disabled in order to enable AMT again an authorized sys admin can reestablish the security credentials required to perform remote configuration by either Using the remote configuration process full automated remote config via certificates and keys 1 Physically accessing the PC to restore security credentials either by USB key or by entering the credentials and MEBx parameters manually 1 There is a way to totally reset AMT and return in to factory defaults This can be done in two ways Setting the appropriate value in the BIOS Clearing the CMOS memory and or NVRAM Setup and integration of AMT is supported by a setup and configuration service for automated setup an AMT Webserver tool included with Intel AMT and AMT Commander an unsupported and free proprietary application available from the Intel website Communication EditAll access to the Intel AMT features is through the Intel Management Engine in the PC s hardware and firmware 1 AMT communication depends on the state of the Management Engine not the state of the PC s OS As part of the Intel Management Engine the AMT OOB communication channel is based on the TCP IP firmware stack designed into system hardware 1 Because it is based on the TCP IP stack remote communication with AMT occurs via the network data path before communication is passed to the OS Intel AMT supports wired and wireless networks 1 8 20 29 For wireless notebooks on battery power OOB communication is available when the system is awake and connected to the corporate network even if the OS is down OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS based virtual private network VPN when notebooks are awake and working properly AMT version 4 0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall 1 30 In this scheme a management presence server Intel calls this a vPro enabled gateway authenticates the PC opens a secure TLS tunnel between the IT console and the PC and mediates communication 1 31 The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on site proxy server or management appliance Technology that secures communications outside a corporate firewall is relatively new It also requires that an infrastructure be in place including support from IT consoles and firewalls An AMT PC stores system configuration information in protected memory For PCs version 4 0 and higher this information can include the name s of appropriate whitelist management servers for the company When a user tries to initiate a remote session between the wired PC and a company server from an open LAN AMT sends the stored information to a management presence server MPS in the demilitarized zone DMZ that exists between the corporate firewall and client the user PC s firewalls The MPS uses that information to help authenticate the PC The MPS then mediates communication between the laptop and the company s management servers 1 Because communication is authenticated a secure communication tunnel can then be opened using TLS encryption Once secure communications are established between the IT console and Intel AMT on the user s PC a sys admin can use the typical AMT features to remotely diagnose repair maintain or update the PC 1 Design EditHardware Edit Main article Intel Management Engine The Management Engine ME is an isolated and protected coprocessor embedded as a non optional 32 part in all current as of 2015 update Intel chipsets 33 Starting with ME 11 it is based on the Intel Quark x86 based 32 bit CPU and runs the MINIX 3 operating system The ME state is stored in a partition of the SPI flash using the Embedded Flash File System EFFS 34 Previous versions were based on an ARC core with the Management Engine running the ThreadX RTOS from Express Logic Versions 1 x to 5 x of the ME used the ARCTangent A4 32 bit only instructions whereas versions 6 x to 8 x used the newer ARCompact mixed 32 and 16 bit instruction set architecture Starting with ME 7 1 the ARC processor could also execute signed Java applets The ME shares the same network interface and IP as the host system Traffic is routed based on packets to ports 16992 16995 Support exists in various Intel Ethernet controllers exported and made configurable via Management Component Transport Protocol MCTP 35 36 The ME also communicates with the host via PCI interface 34 Under Linux communication between the host and the ME is done via dev mei 33 or more recently 37 dev mei0 38 Until the release of Nehalem processors the ME was usually embedded into the motherboard s northbridge following the Memory Controller Hub MCH layout 39 With the newer Intel architectures Intel 5 Series onwards ME is included into the Platform Controller Hub PCH 40 41 Firmware Edit Management Engine ME mainstream chipsets Server Platform Services SPS server Trusted Execution Engine TXE tablet mobile low powerSecurity EditBecause AMT allows access to the PC below the OS level security for the AMT features is a key concern Security for communications between Intel AMT and the provisioning service and or management console can be established in different ways depending on the network environment Security can be established via certificates and keys TLS public key infrastructure or TLS PKI pre shared keys TLS PSK or administrator password 1 6 Security technologies that protect access to the AMT features are built into the hardware and firmware As with other hardware based features of AMT the security technologies are active even if the PC is powered off the OS is crashed software agents are missing or hardware such as a hard drive or memory has failed 1 6 42 Because the software that implements AMT exists outside of the operating system it is not kept up to date by the operating system s normal update mechanism Security defects in the AMT software can therefore be particularly severe as they will remain long after they have been discovered and become known to potential attackers On May 15 2017 Intel announced a critical vulnerability in AMT According to the update The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies 43 Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices Networking Edit While some protocols for in band remote management use a secured network communication channel for example Secure Shell some other protocols are not secured Thus some businesses have had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs 1 Modern security technologies and hardware designs allow remote management even in more secure environments For example Intel AMT supports IEEE 802 1x Preboot Execution Environment PXE Cisco SDN and Microsoft NAP 1 All AMT features are available in a secure network environment With Intel AMT in the secure network environment The network can verify the security posture of an AMT enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network PXE boot can be used while maintaining network security In other words an IT administrator can use an existing PXE infrastructure in an IEEE 802 1x Cisco SDN or Microsoft NAP network Intel AMT can embed network security credentials in the hardware via the Intel AMT Embedded Trust Agent and an AMT posture plug in 1 6 The plug in collects security posture information such as firmware configuration and security parameters from third party software such as antivirus software and antispyware BIOS and protected memory The plug in and trust agent can store the security profile s in AMT s protected nonvolatile memory which is not on the hard disk drive Because AMT has an out of band communication channel AMT can present the PC s security posture to the network even if the PC s OS or security software is compromised Since AMT presents the posture out of band the network can also authenticate the PC out of band before the OS or applications load and before they try to access the network If the security posture is not correct a system administrator can push an update OOB via Intel AMT or reinstall critical security software before letting the PC access the network Support for different security postures depends on the AMT release Support for IEEE 802 1x and Cisco SDN requires AMT version 2 6 or higher for laptops and AMT version 3 0 or higher for desktop PCs 1 44 45 Support for Microsoft NAP requires AMT version 4 0 or higher 1 Support for PXE boot with full network security requires AMT version 3 2 or higher for desktop PCs 1 Technology Edit AMT includes several security schemes technologies and methodologies to secure access to the AMT features during deployment and during remote management 1 6 42 AMT security technologies and methodologies include Transport Layer Security including pre shared key TLS TLS PSK HTTP authentication Single sign on to Intel AMT with Microsoft Windows domain authentication based on Microsoft Active Directory and Kerberos Digitally signed firmware Pseudo random number generator PRNG which generates session keys Protected memory not on the hard disk drive for critical system data such as the UUID hardware asset information and BIOS configuration settings Access control lists ACL As with other aspects of Intel AMT the security technologies and methodologies are built into the chipset Known vulnerabilities and exploits Edit See also Intel Management Engine Security vulnerabilities Ring 3 rootkit Edit A ring 3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset it does not work for the later Q45 chipset as Intel implemented additional protections 46 The exploit worked by remapping the normally protected memory region top 16 MB of RAM reserved for the ME The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system as the chipset always contains the ARC ME coprocessor The 3 designation was chosen because the ME coprocessor works even when the system is in the S3 state thus it was considered a layer below the System Management Mode rootkits 39 For the vulnerable Q35 chipset a keystroke logger ME based rootkit was demonstrated by Patrick Stewin 47 48 Zero touch provisioning Edit Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation In particular it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used It also found that the zero touch provisioning mode ZTC is still enabled even when the AMT appears to be disabled in BIOS For about 60 euros Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote zero touch provisioning of possibly unsuspecting machines which broadcast their HELLO packets to would be configuration servers 49 Silent Bob is Silent Edit In May 2017 Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability CVE 2017 5689 13 50 11 51 52 The vulnerability which was nicknamed Silent Bob is Silent by the researchers who had reported it to Intel 53 affects numerous laptops desktops and servers sold by Dell Fujitsu Hewlett Packard later Hewlett Packard Enterprise and HP Inc Intel Lenovo and possibly others 53 54 55 56 57 58 59 Those researchers claimed that the bug affects systems made in 2010 or later 60 Other reports claimed that the bug also affects systems made as long ago as 2008 61 13 The vulnerability was described as giving remote attackers full control of affected machines including the ability to read and modify everything It can be used to install persistent malware possibly in firmware and read and modify any data Tatu Ylonen ssh com 53 The remote user authorization process included a programmer error it compared the user given authorization token hash user response to the true value of the hash computed response using this code strncmp computed response user response response length The vulnerability was that response length was the length of the user given token and not of the true token Since the third argument for strncmp is the length of the two strings to be compared if it is less than the length of computed response only a part of the string will be tested for equality Specifically if user response is the empty string with length 0 this comparison will always return true and thus validate the user This allowed any person to simply log into the admin account on the devices by editing their sent HTTP packet to use the empty string as the response field s value PLATINUM Edit In June 2017 the PLATINUM cybercrime group became notable for exploiting the serial over LAN SOL capabilities of AMT to perform data exfiltration of stolen documents 62 63 64 65 66 67 68 69 SA 00086 Edit In November 2017 serious flaws were detected in the Management Engine ME firmware by security firm Positive Technologies who claimed to have developed a working exploit of this system for someone having physical access to a USB port 70 On November 20 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine Trusted Execution Engine Server Platform Services and released a critical firmware update 71 72 Avoidance and mitigation EditPCs with AMT typically provide an option in the BIOS menu to switch off AMT though OEMs implement BIOS features differently 73 and therefore the BIOS is not a reliable method to switch off AMT Intel based PCs that shipped without AMT are not supposed to be able to have AMT installed later However as long as the PC s hardware is potentially capable of running the AMT it is unclear how effective these protections are 74 75 76 Presently there are mitigation guides 77 and tools 78 to disable AMT on Windows but Linux has only received a tool to check whether AMT is enabled and provisioned on Linux systems 79 The only way to actually fix this vulnerability is to install a firmware update Intel has made a list of updates available 80 Unlike for AMT there is generally no official documented way to disable the Management Engine ME it is always on unless it is not enabled at all by the OEM 81 82 In 2015 a small number of competing vendors began to offer Intel based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns 83 84 85 86 10 87 88 See also EditBackdoor computing Host Embedded Controller Interface HP Integrated Lights Out Intel CIRA Intel Core Internet kill switch Platform Controller Hub Lights out management Southbridge computing System Service Processor Intel AMT versions Intel Management Engine Intel vProReferences Edit a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc bd Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology PDF Intel 2008 Archived from the original PDF on December 6 2008 Retrieved August 7 2008 Intel vPro Chipset Lures MSPs System Builders ChannelWeb Retrieved August 1 2007 A new dawn for remote management A first glimpse at Intel s vPro platform ars technica February 6 2007 Retrieved November 7 2007 Remote Pc Management with Intel s vPro Tom s Hardware Guide April 26 2007 Retrieved November 21 2007 a b c d Revisiting vPro for Corporate Purchases Gartner Archived from the original on July 23 2008 Retrieved August 7 2008 a b c d e f g h i j k l m n o p q Architecture Guide Intel Active Management Technology Intel June 26 2008 Archived from the original on October 19 2008 Retrieved August 12 2008 Archived copy Archived from the original on April 14 2012 Retrieved April 30 2012 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link a b Intel Centrino 2 with vPro Technology PDF Intel Archived from the original PDF on March 15 2008 Retrieved July 15 2008 Intel MSP Msp intel com Retrieved May 25 2016 a b Purism Explains Why It Avoids Intel s AMT And Networking Cards For Its Privacy Focused Librem Notebooks Tom s Hardware August 29 2016 Retrieved May 10 2017 a b Intel Product Security Center Security center intel com Retrieved May 7 2017 Charlie Demerjian May 1 2017 Remote security exploit in all 2008 Intel platforms SemiAccurate Retrieved May 7 2017 a b c Red alert Intel patches remote execution hole that s been hidden in chips since 2010 Theregister co uk Retrieved May 7 2017 HardOCP Purism Is Offering Laptops with Intel s Management Engine Disabled System76 to disable Intel Management Engine on its notebooks Garrison Justin March 28 2011 How to Remotely Control Your PC Even When it Crashes Howtogeek com Retrieved May 7 2017 Open Manageability Developer Tool Kit Intel Software Software intel com Retrieved May 7 2017 a b c d e f g Intel Active Management Technology System Defense and Agent Presence Overview PDF Intel February 2007 Retrieved August 16 2008 a b c Intel Centrino 2 with vPro Technology Intel Archived from the original on March 15 2008 Retrieved June 30 2008 a b New Intel Based Laptops Advance All Facets of Notebook PCs Intel Archived from the original on July 17 2008 Retrieved July 15 2008 Understanding Intel AMT over wired vs wireless video Intel Archived from the original on March 26 2008 Retrieved August 14 2008 Intel vPro Technology Intel a b Part 3 Post Deployment of Intel vPro in an Altiris Environment Enabling and Configuring Delayed Provisioning Intel forum Retrieved September 12 2008 Archived copy PDF Archived from the original PDF on January 3 2014 Retrieved July 20 2013 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Intel Management and Security Status IMSS advanced configurations Part 9 Intel Software Network Blogs Archived from the original on February 20 2011 Retrieved December 26 2010 Intel vPro Provisioning PDF HP Hewlett Packard Retrieved June 2 2008 vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Technology PDF HP Hewlett Packard Retrieved June 2 2008 permanent dead link Part 4 Post Deployment of Intel vPro in an Altiris Environment Intel Partial UnProvDefault Intel forum Retrieved September 12 2008 Technical Considerations for Intel AMT in a Wireless Environment Intel September 27 2007 Retrieved August 16 2008 Intel Active Management Technology Setup and Configuration Service Version 5 0 PDF Intel Retrieved October 13 2018 Intel AMT Fast Call for Help Intel August 15 2008 Archived from the original on February 11 2009 Retrieved August 17 2008 Intel developer s blog Intel x86 considered harmful New paper Archived from the original on January 3 2016 Retrieved January 16 2016 a b Archived copy Archived from the original on November 1 2014 Retrieved February 25 2014 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link a b Igor Skochinsky Hex Rays Rootkit in your laptop Ruxcon Breakpoint 2012 Intel Ethernet Controller I210 Datasheet PDF Intel 2013 pp 1 15 52 621 776 Retrieved November 9 2013 Intel Ethernet Controller X540 Product Brief PDF Intel 2012 Retrieved February 26 2014 samples mei use dev mei0 instead of dev mei torvalds linux c4a46ac GitHub Retrieved July 14 2021 Introduction The Linux Kernel documentation www kernel org Retrieved July 14 2021 a b Joanna Rutkowska A Quest to the Core PDF Invisiblethingslab com Retrieved May 25 2016 Archived copy PDF Archived from the original PDF on February 11 2014 Retrieved February 26 2014 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Platforms II PDF Users nik uni obuda hu Retrieved May 25 2016 a b New Intel vPro Processor Technology Fortifies Security for Business PCs news release Intel August 27 2007 Archived from the original on September 12 2007 Retrieved August 7 2007 Intel AMT Critical Firmware Vulnerability Intel Retrieved June 10 2017 Intel Software Network engineer developers forum Intel Archived from the original on August 13 2011 Retrieved August 9 2008 Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology PDF Intel 2007 Invisible Things Lab to present two new technical presentations disclosing system level vulnerabilities affecting modern PC hardware at its core PDF Invisiblethingslab com Archived from the original PDF on April 12 2016 Retrieved May 25 2016 Berlin Institute of Technology FG Security in telecommunications Evaluating Ring 3 Rootkits PDF Stewin org Archived from the original PDF on March 4 2016 Retrieved May 25 2016 Persistent Stealthy Remote controlled Dedicated Hardware Malware PDF Stewin org Archived from the original PDF on March 3 2016 Retrieved May 25 2016 Security Evaluation of Intel s Active Management Technology PDF Web it kth se Retrieved May 25 2016 CVE CVE 2017 5689 Cve mitre org Archived from the original on May 5 2017 Retrieved May 7 2017 Intel Hidden Management Engine x86 Security Risk Darknet June 16 2016 Retrieved May 7 2017 Garrett Matthew May 1 2017 Intel s remote AMT vulnerablity mjg59 dreamwidth org Retrieved May 7 2017 a b c 2017 05 05 ALERT Intel AMT EXPLOIT OUT IT S BAD DISABLE AMT NOW Ssh com Accessdate 2017 05 07 Dan Goodin May 6 2017 The hijacking flaw that lurked in Intel chips is worse than anyone thought Ars Technica Retrieved May 8 2017 General BIOS updates due to Intel AMT IME vulnerability General Hardware Laptop Dell Community En community dell com May 2 2017 Retrieved May 7 2017 Advisory note Intel Firmware vulnerability Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe Middle East Africa amp India Support ts fujitsu com May 1 2017 Retrieved May 8 2017 HPE HPE CS700 2 0 for VMware H22208 www2 hpe com May 1 2017 Retrieved May 7 2017 Intel Security Advisory regarding escalation o Intel Communities Communities intel com May 4 2017 Retrieved May 7 2017 Intel Active Management Technology Intel Small Business Technology and Intel Standard Manageability Remote Privilege Escalation Support lenovo com Retrieved May 7 2017 MythBusters CVE 2017 5689 Embedi com Archived from the original on May 6 2017 Retrieved May 7 2017 Charlie Demerjian May 1 2017 Remote security exploit in all 2008 Intel platforms SemiAccurate com Retrieved May 7 2017 Sneaky hackers use Intel management tools to bypass Windows firewall June 9 2017 Retrieved June 10 2017 Tung Liam Windows firewall dodged by hot patching spies using Intel AMT says Microsoft ZDNet ZDNet Retrieved June 10 2017 PLATINUM continues to evolve find ways to maintain invisibility June 7 2017 Retrieved June 10 2017 Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls Retrieved June 10 2017 Hackers abuse low level management feature for invisible backdoor iTnews Retrieved June 10 2017 Vxers exploit Intel s Active Management for malware over LAN The Register www theregister co uk Retrieved June 10 2017 Security heise Intel Fernwartung AMT bei Angriffen auf PCs genutzt Security Retrieved June 10 2017 PLATINUM activity group file transfer method using Intel AMT SOL Channel 9 Retrieved June 10 2017 Researchers find almost EVERY computer with an Intel Skylake and above CPU can be owned via USB Intel Management Engine Critical Firmware Update Intel SA 00086 Intel Newman Lily Hay Intel Chip Flaws Leave Millions of Devices Exposed Wired Disabling AMT in BIOS software intel com December 28 2010 Retrieved May 17 2017 Are consumer PCs safe from the Intel ME AMT exploit SemiAccurate semiaccurate com May 3 2017 Intel x86s hide another CPU that can take over your machine you can t audit it Boing Boing June 15 2016 Retrieved May 11 2017 coreboot AMT bug Mail coreboot org May 11 2017 Retrieved June 13 2017 Disabling Intel AMT on Windows and a simpler CVE 2017 5689 Mitigation Guide Social Media Marketing Digital Marketing Electronic Commerce May 3 2017 Retrieved May 17 2017 bartblaze Disable Intel AMT GitHub Retrieved May 17 2017 mjg59 mei amt check GitHub Retrieved May 17 2017 Intel AMT Critical Firmware Vulnerability Intel Retrieved May 17 2017 Positive Technologies Blog Disabling Intel ME 11 via undocumented mode Archived from the original on August 28 2017 Retrieved August 30 2017 Intel Patches Major Flaws in the Intel Management Engine Extreme Tech Vaughan Nichols Steven J Taurinus X200 Now the most Free Software laptop on the planet ZDNet ZDNet Kissling Kristian Libreboot Thinkpad X220 ohne Management Engine Linux Magazin Linux Magazin online heise Libiquity Taurinus X200 Linux Notebook ohne Intels Management Engine heise online Intel AMT Vulnerability Shows Intel s Management Engine Can Be Dangerous May 2 2017 The Free Software Foundation loves this laptop but you won t FSF Endorses Yet Another Outdated Laptop Phoronix phoronix com External links EditOpen AMT Cloud Toolkit MeshCentral2 Intel Manageability Commander Implementing Intel AMT Intel Security Center Intel Active Management Technology Intel Manageability Developer Community Intel vPro Expert Center Intel 82573E Gigabit Ethernet Controller Tekoa ARC4 Processor AMT videos select the desktop channel Intel AMT Client Radmin Viewer 3 3 Intel vPro AMT as a hardware antivirus AMT Over the Internet Provisioning OOB Manager Intel ME Secrets Hidden code in your chipset and how to discover what exactly it does by Igor Skochinsky talk at Code Blue 2014 Using Intel AMT and the Intel NUC with Ubuntu Retrieved from https en wikipedia org w index php title Intel Active Management Technology amp oldid 1171170085, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.