cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
xorgd
Paper Tape
Posts: 3
Location: USA
26,098 Views
Message 1 of 6

Intel AMT backdoor enabled by default

Hi,

Intel AMT is nothing else than a backdoor built into your system.
Dell Latitude/HP Elitebooks both offer an option when you buy the pc to remove out of band management (AMT) but still get the functionality of vpro like vt-x/vt-d for virtualisation.
You can even active it later (software level) if you want to experiment but at least, you have the choice.

By default, on thinkpads that support vpro, AMT is enabled and pre-provisioned with root CA keys from exemple VeriSign/Godaddy.
This means that an attacker with access to your network could purchase an AMT cert and provision your machine without you ever knowing.

Plus, a rootkit has been made against AMT so even if it's disabled in the bios (the right way by doing a full unprovisionning, NOT by changing manageability feature selection from AMT to none), the rootkit would still be active!

From Invisible Things Lab : Can a user disable AMT in BIOS?

"Yes, but our rootkit would still be active. We have determined that some AMT code is still being executed, regardless of whether AMT is disabled in BIOS or not. In our proof of concept rootkit we decided to subvert this very AMT code."

I'm a thinkpad fan but if you do not offer an option to remove AMT when you buy it, at least don't enable it by default so the users will not be vulnerable. This post is not a question but a suggestion to lenovo.

Thanks

Community SeniorMod
Community SeniorMod
Posts: 2,994
Location: US
25,945 Views
Message 2 of 6

Re: Intel AMT backdoor enabled by default

Hello,

 

I found the quotation you referenced on Joanna Rutkowska's web site:  Invisible Things Lab to present two new technical presentations disclosing system-levelvulnerabiliti... [PDF, press release] which is in reference to two presentations given at Black Hat 2009, Introducing Ring -3 Rootkits [PDF, slide deck] and Attacking Intel BIOS [PDF, paper].

 

Here are Intel's advisories from that year [2009] confirming that fixes had been released for the vulnerabilities discovered by Joanna's team:

 

If you have three-to-four year old hardware in the field which you have not patched for this, you may wish to do so using Lenovo's ThinkVantage System Update, ThinkVantage Update Retriever or similiar technology you use for configuration management to install the latest BIOS firmware into them.  If that is not possible for some reason, I would suggest limiting access to the hardware, as it seems exploiting this requires direct physical access to the computer, assuming I understood the Black Hat 2009 presentations correctly.

 

Regards,

 

Aryeh Goretsky

 

 

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Abir
Fanfold Paper
Posts: 37
Location: Pennsylvania
25,707 Views
Message 3 of 6

Re: Intel AMT backdoor enabled by default

Requesting assistance to determine/verify if my X220 that has AMT is vulnerable to hacking or allows any kind of access to my computer. I purchased my X220 seeking only AES-NI and was ignorant of AMT. I have since learned it is an IC on the mobo with its own BIOS and communications capability (even when the computer is powered OFF) to enable an outside admin to access and manipulate the computer. I am a non-corporate user and this appalls me. So I removed some components from my X220. And, indeed, System Update 5 tells me that I need Intel AMT 7.1 MEI and SOL drivers and Intel AMT 7.1 IPT. I also have Intel AMT Control set to "Disabled" in the X220 BIOS. But I fear this does not mean I have rendered AMT unable to receive commands or send out a request for configuration. I do NOT want Out of Band Remote Access!! I downloaded and ran the Intel AMT Diagnostic Tool and the scan and test results disturb me. I cannot really understand them because I don't understand the Intel terminology and concepts re "configuration," "enabled," "set up". Here are the scan/test results: I have AMT Version 7.1.20.1119. The Code Version is AMT Pro/Corporate (24584). For AMT SMBIOS Table, AMT Enabled is "True." For Security Parameters, Provisioning State is "Pre", and the result is "True" for Network Interface Enabled, SOL Enabled and IDER Enabled. The Provisioning Mode is "Enterprise," and re OptIn Remote and Remote Configuration Enabled the result is "True." The Server port for this is 9971. Test could not be run because 'user date missing" for PKI Provisioning, Server Certificate and Active Directory. Regarding IPV6 LAN Interface, both wired and wireless, and also IPV6 Interface Settings, wired and wireless, Enabled is "False." So is my X220 safe from outside attack/manipulation via the AMT?
Community SeniorMod
Community SeniorMod
Posts: 2,994
Location: US
25,678 Views
Message 4 of 6

Re: Intel AMT backdoor enabled by default

Hello,

 

It sounds like you have successfully disabled the feature.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Abir
Fanfold Paper
Posts: 37
Location: Pennsylvania
25,669 Views
Message 5 of 6

Re: Intel AMT backdoor enabled by default

Hi Aryeh: Thanks for your quick reply. However, my understanding of the Intel AMT Diagnostic Tool readout does NOT give me comfort as to "disabling" of the AMT on my X220. The Intel terminology is opaque. Also, please note this statement in Intel® Active Management Technology Validation Tools User Guide June 2007 Revision 1.1: "Intel® AMT’s features can be summarized as follows:...3. Tamper Resistant: • Intel® AMT agent bound to the PC and configured by IT, Difficult for end-user to modify or disable." Also, I have seen that each OEM implements AMT differently. What I need is clear instructions from Lenovo re how to ensure that the AMT on my X220 is not capable of communicating with the outside world or being contacted by the outside world. I recall reading somewhere that you actually have to first set up the AMT and then adjust the settings of the Management Engine so that you "turn it off." Please please tell me how to get these instructions from Lenovo--precisely because, as Intel has stated, it is "difficult for the end-user to modify or disable." thanks.
Community SeniorMod
Community SeniorMod
Posts: 2,994
Location: US
25,637 Views
Message 6 of 6

Re: Intel AMT backdoor enabled by default

Hello,

 

In the BIOS of my X220, I have disabled the AMT functionality as follows:

 

  1. Selected Config ► Intel(R) AMT.
  2. Toggled Intel (R) AMT Control to [Disabled].

I think the comments about it being difficult for end-users to modify are more geared at making management happy.  The functionality is toggled in the BIOS, and access to the BIOS can be controlled by IT through things like supervisory passwords, which is really what makes it difficult for end users to disable (no ability to change BIOS firmware settings = no ability for end-users to disable AMT).

 

From what I've read, you can try connecting to your laptop from another computer on the same network at port 16992 if AMT is running.  You could try that and see if a connection is made—be sure to temporarily disable your firewall, though, for testing purposes.  So, if the X220 was located at 192.168.1.5, you could try accessing it by entering "http://192.168.1.5:16992" in the other computer's web browser.

 

If you need some kind of official response from Lenovo, I think your best bet is to contact support directly, as this is more of a user-to-user support forum than a direct conduit for Lenovo employee-customer interactions (although, obviously, a number of Lenovo employees do help out in the forum). 

 

Regards,

 

Aryeh Goretsky

 

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Top Kudoed Authors