08-09-2012 04:25 PM - edited 08-10-2012 09:15 AM
Intel AMT is nothing else than a backdoor built into your system.
Dell Latitude/HP Elitebooks both offer an option when you buy the pc to remove out of band management (AMT) but still get the functionality of vpro like vt-x/vt-d for virtualisation.
You can even active it later (software level) if you want to experiment but at least, you have the choice.
By default, on thinkpads that support vpro, AMT is enabled and pre-provisioned with root CA keys from exemple VeriSign/Godaddy.
This means that an attacker with access to your network could purchase an AMT cert and provision your machine without you ever knowing.
Plus, a rootkit has been made against AMT so even if it's disabled in the bios (the right way by doing a full unprovisionning, NOT by changing manageability feature selection from AMT to none), the rootkit would still be active!
From Invisible Things Lab : Can a user disable AMT in BIOS?
"Yes, but our rootkit would still be active. We have determined that some AMT code is still being executed, regardless of whether AMT is disabled in BIOS or not. In our proof of concept rootkit we decided to subvert this very AMT code."
I'm a thinkpad fan but if you do not offer an option to remove AMT when you buy it, at least don't enable it by default so the users will not be vulnerable. This post is not a question but a suggestion to lenovo.
08-15-2012 01:29 AM
I found the quotation you referenced on Joanna Rutkowska's web site: Invisible Things Lab to present two new technical presentations disclosing system-levelvulnerabiliti... [PDF, press release] which is in reference to two presentations given at Black Hat 2009, Introducing Ring -3 Rootkits [PDF, slide deck] and Attacking Intel BIOS [PDF, paper].
Here are Intel's advisories from that year  confirming that fixes had been released for the vulnerabilities discovered by Joanna's team:
If you have three-to-four year old hardware in the field which you have not patched for this, you may wish to do so using Lenovo's ThinkVantage System Update, ThinkVantage Update Retriever or similiar technology you use for configuration management to install the latest BIOS firmware into them. If that is not possible for some reason, I would suggest limiting access to the hardware, as it seems exploiting this requires direct physical access to the computer, assuming I understood the Black Hat 2009 presentations correctly.
09-30-2012 08:46 AM
10-01-2012 12:52 AM
It sounds like you have successfully disabled the feature.
10-01-2012 06:58 AM
10-03-2012 01:30 AM
In the BIOS of my X220, I have disabled the AMT functionality as follows:
I think the comments about it being difficult for end-users to modify are more geared at making management happy. The functionality is toggled in the BIOS, and access to the BIOS can be controlled by IT through things like supervisory passwords, which is really what makes it difficult for end users to disable (no ability to change BIOS firmware settings = no ability for end-users to disable AMT).
From what I've read, you can try connecting to your laptop from another computer on the same network at port 16992 if AMT is running. You could try that and see if a connection is made—be sure to temporarily disable your firewall, though, for testing purposes. So, if the X220 was located at 192.168.1.5, you could try accessing it by entering "http://192.168.1.5:16992" in the other computer's web browser.
If you need some kind of official response from Lenovo, I think your best bet is to contact support directly, as this is more of a user-to-user support forum than a direct conduit for Lenovo employee-customer interactions (although, obviously, a number of Lenovo employees do help out in the forum).