Intel Hardware Accelerated Execution Manager Øâ¯ã˜â§ã™â€ Ù„ã™ë†ã˜â¯

Hardware and firmware

A role of the Intel AMT web direction interface, accessible even when the computer is sleeping

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers,^{[1] [2] [3] [4] [5]} running on the Intel Management Engine, a split microprocessor not exposed to the user, in gild to monitor, maintain, update, upgrade, and repair them.^[1] Out-of-ring (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.^{[i] [2]}

Hardware-based management works at a different level from software applications, and uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does non depend on the presence of an Os or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, simply it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well equally wake-on-LAN (WOL) for remotely powering on systems.^[half-dozen] AMT is not intended to be used by itself; it is intended to exist used with a software management awarding.^[1] Information technology gives a direction awarding (and thus, the system administrator who uses it) access to the PC down the wire, in club to remotely do tasks that are difficult or sometimes impossible when working on a PC that does non have remote functionalities congenital into information technology.^{[1] [iii] [seven]}

AMT is designed into a secondary (service) processor located on the motherboard,^[8] and uses TLS-secured communication and stiff encryption to provide additional security.^[ii] AMT is built into PCs with Intel vPro technology and is based on the Intel Management Engine (ME).^[two] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.one and afterwards releases are an implementation of Nuance version i.0/1.1 standards for out-of-band management.^[ix] AMT provides similar functionality to IPMI, although AMT is designed for client calculating systems as compared with the typically server-based IPMI.

Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Cadre i5, Core i7, Core i9 and Intel Xeon E3-1200, Xeon E, Xeon W-1200 product family.^{[i] [10] [11]}

Intel confirmed a Remote Elevation of Privilege problems (CVE-2017-5689, SA-00075) in its Direction Engineering science on May i, 2017.^[12] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security pigsty in the ME.^{[13] [14]} Some manufacturers, like Purism^[15] and System76^[16] are already selling hardware with Intel Management Engine disabled to prevent the remote exploit. Additional major security flaws in the ME affecting a very big number of computers incorporating Management Engine, Trusted Execution Engine, and Server Platform Services firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on Nov 20, 2017 (SA-00086).

Non-complimentary service access [edit]

Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the directly owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or direction services from Intel or another 3rd party contained software vendor (ISV) or value added reseller (VAR).

Intel itself provides a programmer'south toolkit software bundle which allows bones access to iAMT, but is not intended to exist normally used to access the applied science.^[17] Simply basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system.^[18]

Features [edit]

Intel AMT includes hardware-based remote management, security, ability direction, and remote configuration features that enable independent remote access to AMT-enabled PCs.^{[one] [7] [19]} Intel AMT is security and management engineering science that is built into PCs with Intel vPro technology.^{[1] [6]}

Intel AMT uses a hardware-based out-of-band (OOB) communication channel^[1] that operates regardless of the presence of a working operating organisation. The communication channel is contained of the PC'south power state, the presence of a management agent, and the state of many hardware components such as hard disk drives and retentivity.

Most AMT features are available OOB, regardless of PC power state.^[ane] Other features require the PC to be powered upward (such as console redirection via series over LAN (SOL), amanuensis presence checking, and network traffic filtering).^[1] Intel AMT has remote ability-up capability.

Hardware-based features tin can be combined with scripting to automate maintenance and service.^[ane]

Hardware-based AMT features on laptop and desktop PCs include:

• Encrypted, remote advice aqueduct for network traffic between the It console and Intel AMT.^{[i] [2]}
• Ability for a wired PC (physically continued to the network) outside the company'due south firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console.^{[i] [2]} Examples of an open up LAN include a wired laptop at home or at an site that does not have a proxy server.
• Remote power up / power down / power cycle through encrypted WOL.^{[one] [2]}
• Remote boot, via integrated device electronics redirect (IDE-R).^{[1] [2]}
• Console redirection, via serial over LAN (SOL).^[ane]
• Keyboard, video, mouse (KVM) over network.
• Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs accept filters to monitor packet headers. Desktop PCs have parcel-header filters and time-based filters.^{[1] [two] [20]}
• Isolation circuitry (previously and unofficially called "excursion breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.^{[1] [two] [20]}
• Amanuensis presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; and this tin also generate an alert.^{[1] [two] [xx]}
• OOB alerting.^{[1] [two]}
• Persistent event log, stored in protected retentivity (not on the difficult drive).^{[1] [ii]}
• Access (preboot) the PC'southward universal unique identifier (UUID).^{[1] [2]}
• Access (preboot) hardware asset information, such equally a component'southward manufacturer and model, which is updated every time the organisation goes through ability-on cocky-exam (POST).^{[1] [2]}
• Admission (preboot) to third-party data shop (TPDS), a protected memory area that software vendors tin use, in which to version information, .DAT files, and other information.^{[1] [2]}
• Remote configuration options, including document-based nada-touch remote configuration, USB fundamental configuration (light-affect), and manual configuration.^{[one] [two] [21]}
• Protected Sound/Video Pathway for playback protection of DRM-protected media.

Laptops with AMT also include wireless technologies:

• Back up for IEEE 802.11 a/g/northward wireless protocols^{[1] [10] [22] [23]}
• Cisco-uniform extensions for Vox over WLAN^{[i] [ten] [22] [23]}

History [edit]

Software updates provide upgrades to the next pocket-size version of Intel AMT. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.^[2]

Applications [edit]

Almost all AMT features are available even if the PC is in a powered-off land only with its power cord fastened, if the operating system has crashed, if the software agent is missing, or if hardware (such as a difficult drive or retention) has failed.^{[one] [2]} The console-redirection characteristic (SOL), agent presence checking, and network traffic filters are available after the PC is powered upwards.^{[1] [two]}

Intel AMT supports these direction tasks:

• Remotely ability upwardly, ability down, ability bike, and power reset the reckoner.^[ane]
• Remote boot the PC by remotely redirecting the PC's kicking process, causing information technology to kick from a dissimilar image, such every bit a network share, bootable CD-ROM or DVD, remediation drive, or other boot device.^{[1] [7]} This feature supports remote booting a PC that has a corrupted or missing Bone.
• Remotely redirect the system's I/O via console redirection through serial over LAN (SOL).^[1] This characteristic supports remote troubleshooting, remote repair, software upgrades, and similar processes.
• Admission and change BIOS settings remotely.^[1] This feature is available fifty-fifty if PC power is off, the OS is downwardly, or hardware has failed. This feature is designed to permit remote updates and corrections of configuration settings. This feature supports total BIOS updates, not just changes to specific settings.
• Detect suspicious network traffic.^{[1] [20]} In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network package header. In desktop PCs, this characteristic also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before information technology reaches the Os, so it is besides checked earlier the OS and software applications load, and later they shut down (a traditionally vulnerable menstruation for PCs^{[ citation needed ]}).
• Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats.^{[1] [xx]} This feature uses Intel AMT hardware-based isolation circuitry that can exist triggered manually (remotely, past the sys-admin) or automatically, based on IT policy (a specific event).
• Manage hardware packet filters in the on-board network adapter.^{[one] [20]}
• Automatically send OOB communication to the It console when a critical software agent misses its assigned bank check in with the programmable, policy-based hardware-based timer.^{[i] [twenty]} A "miss" indicates a potential problem. This feature tin be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps proceed the network from being flooded by unnecessary "positive" event notifications).
• Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for case, events indicating that the OS is hung or crashed, or that a password attack has been attempted).^[1] An alert can be issued on an event (such as falling out of compliance, in combination with amanuensis presence checking) or on a threshold (such as reaching a particular fan speed).
• Access a persistent event log, stored in protected memory.^[1] The event log is available OOB, even if the Bone is downward or the hardware has already failed.
• Discover an AMT system independently of the PC's power country or Os state.^[1] Discovery (preboot access to the UUID) is bachelor if the system is powered down, its Os is compromised or down, hardware (such equally a hard drive or retention) has failed, or management agents are missing.
• Perform a software inventory or access data about software on the PC.^[1] This feature allows a third-political party software vendor to store software asset or version data for local applications in the Intel AMT protected memory. (This is the protected tertiary party data shop, which is dissimilar from the protected AMT memory for hardware component information and other system data). The tertiary-party data store tin exist accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected retention that is available for third-party data. A calculator script could use this feature to identify PCs that need to be updated.
• Perform a hardware inventory past uploading the remote PC'south hardware nugget listing (platform, baseboard management controller, BIOS, processor, memory, disks, portable batteries, field replaceable units, and other data).^[1] Hardware asset information is updated every time the organization runs through ability-on self-exam (Mail service).

From major version vi, Intel AMT embeds a proprietary VNC server, for out-of-ring admission using defended VNC-compatible viewer applied science, and take total KVM (keyboard, video, mouse) capability throughout the ability bicycle – including uninterrupted control of the desktop when an operating system loads. Clients such every bit VNC Viewer Plus from RealVNC also provide additional functionality that might brand it easier to perform (and watch) certain Intel AMT operations, such equally powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Provisioning and integration [edit]

AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning ("one-affect" provisioning), manual provisioning^[ane] and provisioning using an amanuensis on the local host ("Host Based Provisioning"). An OEM tin can also pre-provision AMT.^[21]

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the marketplace.)^[7] Remote deployment, until recently, was only possible within a corporate network.^[24] Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically.^[1] It too allows a sys-admin to delay deployments and put PCs into use for a period of fourth dimension before making AMT features available to the IT panel.^[25] As delivery and deployment models evolve, AMT can at present be deployed over the Internet, using both "Zero-Touch" and Host-Based methods.^[26]

PCs can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build.^[21]

AMT includes a Privacy Icon awarding, called IMSS,^[27] that notifies the organization's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

AMT supports different methods for disabling the direction and security technology, too as different methods for reenabling the technology.^{[1] [25] [28] [29]}

AMT tin can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings.^[30] A fractional unprovisioning leaves the PC in the setup land. In this land, the PC can cocky-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well every bit the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.

In one case AMT is disabled, in order to enable AMT once again, an authorized sys-admin tin reestablish the security credentials required to perform remote configuration past either:

• Using the remote configuration procedure (full automatic, remote config via certificates and keys).^[1]
• Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.^[1]

At that place is a way to totally reset AMT and render in to factory defaults. This can exist washed in two ways:

• Setting the appropriate value in the BIOS.
• Clearing the CMOS retentiveness and / or NVRAM.

Setup and integration of AMT is supported past a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.

Communication [edit]

All access to the Intel AMT features is through the Intel Management Engine in the PC'due south hardware and firmware.^[1] AMT communication depends on the state of the Management Engine, not the state of the PC'south OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into arrangement hardware.^[one] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before advice is passed to the Os.

Intel AMT supports wired and wireless networks.^{[ane] [x] [22] [31]} For wireless notebooks on battery ability, OOB advice is available when the organisation is awake and connected to the corporate network, even if the Os is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.

AMT version four.0 and higher tin constitute a secure advice tunnel betwixt a wired PC and an IT panel outside the corporate firewall.^{[1] [32]} In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel betwixt the Information technology console and the PC, and mediates communication.^{[one] [33]} The scheme is intended to assist the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management apparatus.

Engineering that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure exist in place, including support from IT consoles and firewalls.

An AMT PC stores system configuration data in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session betwixt the wired PC and a company server from an open up LAN, AMT sends the stored data to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists betwixt the corporate firewall and client (the user PC'due south) firewalls. The MPS uses that data to aid authenticate the PC. The MPS then mediates communication betwixt the laptop and the company'southward direction servers.^[1]

Because advice is authenticated, a secure communication tunnel can then be opened using TLS encryption. One time secure communications are established between the Information technology console and Intel AMT on the user's PC, a sys-admin can apply the typical AMT features to remotely diagnose, repair, maintain, or update the PC.^[1]

Design [edit]

Hardware [edit]

The Management Engine (ME) is an isolated and protected coprocessor, embedded every bit a not-optional^[34] role in all current (every bit of 2015^[update]) Intel chipsets.^[35]

Starting with ME 11, information technology is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME country is stored in a partition of the SPI flash, using the Embedded Wink File System (EFFS).^[36] Previous versions were based on an ARC cadre, with the Direction Engine running the ThreadX RTOS from Express Logic. Versions ane.ten to 5.10 of the ME used the ARCTangent-A4 (32-flake only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set up compages). Starting with ME 7.1, the ARC processor could likewise execute signed Java applets.

The ME shares the aforementioned network interface and IP as the host organisation. Traffic is routed based on packets to ports 16992-16995. Support exists in various Intel Ethernet controllers, exported and made configurable via Direction Component Send Protocol (MCTP).^{[37] [38]} The ME likewise communicates with the host via PCI interface.^[36] Under Linux, communication betwixt the host and the ME is done via /dev/mei ^[35] or more recently^[39] /dev/mei0.^[40]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, post-obit the Retention Controller Hub (MCH) layout.^[41] With the newer Intel architectures (Intel v Serial onwards), ME is included into the Platform Controller Hub (PCH).^{[42] [43]}

Firmware [edit]

• Management Engine (ME) - mainstream chipsets
• Server Platform Services (SPS) - server
• Trusted Execution Engine (TXE) - tablet/mobile/low ability

Security [edit]

Considering AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console tin be established in unlike ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or ambassador countersign.^{[1] [2]}

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such every bit a hard bulldoze or retention) has failed.^{[one] [2] [44]}

Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date past the operating system's normal update mechanism. Security defects in the AMT software can therefore exist particularly severe, as they will remain long after they have been discovered and become known to potential attackers.

On May fifteen, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain admission to business PCs or devices that utilise these technologies".^[45] Intel announced partial availability of a firmware update to patch the vulnerability for some of the afflicted devices.

Networking [edit]

While some protocols for in-band remote management use a secured network communication aqueduct (for example Secure Crush), some other protocols are not secured. Thus some businesses have had to choose between having a secure network or allowing IT to utilize remote management applications without secure communications to maintain and service PCs.^[ane]

Modern security technologies and hardware designs allow remote management even in more secure environments. For case, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.^[1]

All AMT features are bachelor in a secure network environment. With Intel AMT in the secure network environment:

• The network tin verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is immune access to the network.
• PXE kick tin can be used while maintaining network security. In other words, an IT ambassador can utilize an existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network.

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.^{[1] [ii]} The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such equally antivirus software and antispyware), BIOS, and protected retention. The plug-in and trust agent can store the security profile(s) in AMT'southward protected, nonvolatile retention, which is non on the hd bulldoze.

Considering AMT has an out-of-ring communication channel, AMT can present the PC's security posture to the network fifty-fifty if the PC's Bone or security software is compromised. Since AMT presents the posture out-of-band, the network can as well authenticate the PC out-of-band, before the Os or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push button an update OOB (via Intel AMT) or reinstall critical security software earlier letting the PC access the network.

Support for different security postures depends on the AMT release:

• Support for IEEE 802.1x and Cisco SDN requires AMT version ii.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.^{[1] [46] [47]}
• Support for Microsoft NAP requires AMT version iv.0 or college.^[1]
• Support for PXE boot with full network security requires AMT version 3.2 or higher for desktop PCs.^[1]

Engineering science [edit]

AMT includes several security schemes, technologies, and methodologies to secure admission to the AMT features during deployment and during remote direction.^{[1] [2] [44]} AMT security technologies and methodologies include:

• Send Layer Security, including pre-shared fundamental TLS (TLS-PSK)
• HTTP authentication
• Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on Microsoft Active Directory and Kerberos
• Digitally signed firmware
• Pseudo-random number generator (PRNG) which generates session keys
• Protected retentivity (non on the hd bulldoze) for critical system data, such as the UUID, hardware asset information, and BIOS configuration settings
• Access command lists (ACL)

Equally with other aspects of Intel AMT, the security technologies and methodologies are congenital into the chipset.

Known vulnerabilities and exploits [edit]

Ring −3 rootkit [edit]

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not piece of work for the subsequently Q45 chipset, as Intel implemented boosted protections.^[48] The exploit worked past remapping the unremarkably protected memory region (top xvi MB of RAM) reserved for the ME. The ME rootkit could exist installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−iii" designation was chosen because the ME coprocessor works fifty-fifty when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits.^[41]) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated past Patrick Stewin.^{[49] [50]}

Zero-affect provisioning [edit]

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning manner when the IDE redirection and Serial over LAN features are used. It also found that the "goose egg affect" provisioning mode (ZTC) is withal enabled even when the AMT appears to be disabled in BIOS. For near threescore euros, Ververis purchased from Go Daddy a certificate that is accustomed past the ME firmware and allows remote "aught touch on" provisioning of (mayhap unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.^[51]

Silent Bob is Silent [edit]

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege-escalation vulnerability (CVE-2017-5689).^{[14] [52] [12] [53] [54]} The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel,^[55] affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (subsequently Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and peradventure others.^{[55] [56] [57] [58] [59] [60] [61]} Those researchers claimed that the bug affects systems made in 2010 or later.^[62] Other reports claimed that the bug also affects systems fabricated as long ago as 2008.^{[63] [fourteen]} The vulnerability was described equally giving remote attackers:

full control of afflicted machines, including the ability to read and modify everything. It can exist used to install persistent malware (possibly in firmware), and read and modify any data.

—Tatu Ylönen, ssh.com ^[55]

The remote user dominance process included a programmer error: it compared the user-given authorization token hash (user_response) to the truthful value of the hash (computed_response) using this code:

strncmp(computed_response, user_response, response_length)        

The vulnerability was that response_length was the length of the user-given token and not of the true token.

Since the third argument for strncmp is the length of the 2 strings to be compared, if it is less than the length of computed_response, only a function of the cord volition exist tested for equality. Specifically, if user_response is the empty string (with length 0), this "comparison" will always return True, and thus validate the user. This allowed any person to simply log into the admin account on the devices past editing their sent HTTP parcel to use the empty string as the response field's value.

PLATINUM [edit]

In June 2017, the PLATINUM cybercrime grouping became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.^{[64] [65] [66] [67] [68] [69] [70] [71]}

SA-00086 [edit]

In Nov 2017 serious flaws were detected in the Management Engine (ME) firmware past security firm Positive Technologies, who claimed to have developed a working exploit of this system for someone having physical admission to a USB port.^[72] On November 20, 2017 Intel confirmed that a number of serious flaws had been constitute in the Direction Engine, Trusted Execution Engine, Server Platform Services and released a "critical firmware update".^{[73] [74]}

Avoidance and mitigation [edit]

PCs with AMT typically provide an pick in the BIOS menu to switch off AMT, though OEMs implement BIOS features differently,^[75] and therefore the BIOS is not a reliable method to switch off AMT. Intel-based PCs that shipped without AMT are not supposed to be able to have AMT installed later. Even so, every bit long as the PC's hardware is potentially capable of running the AMT, information technology is unclear how constructive these protections are.^{[76] [77] [78]} Presently, there are mitigation guides^[79] and tools^[lxxx] to disable AMT on Windows, only Linux has only received a tool to check whether AMT is enabled and provisioned on Linux systems.^[81] The only way to actually fix this vulnerability is to install a firmware update. Intel has made a list of updates available.^[82] Unlike for AMT, there is by and large no official, documented way to disable the Direction Engine (ME); it is ever on, unless information technology is not enabled at all by the OEM.^{[83] [84]}

In 2015, a pocket-sized number of competing vendors began to offer Intel-based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns.^{[85] [86] [87] [88] [89] [90] [91]}

Encounter also [edit]

• Backdoor (calculating)
• Host Embedded Controller Interface
• HP Integrated Lights-Out
• Intel CIRA
• Intel Core
• Internet kill switch
• Platform Controller Hub
• Lights out management
• Southbridge (computing)
• System Service Processor
• Intel AMT versions
• Intel Management Engine
• Intel vPro

References [edit]

1. ^ ^{a b c d e f g h i j k fifty m due north o p q r s t u 5 w x y z aa ab air conditioning advertizement ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc bd be bf bg bh bi bj bk bl} "Intel Centrino 2 with vPro Applied science and Intel Core2 Processor with vPro Technology" (PDF). Intel. 2008. Archived from the original (PDF) on Dec 6, 2008. Retrieved Baronial 7, 2008.
2. ^ ^{a b c d eastward f g h i j yard 50 m due north o p q r due south t u v w x} "Architecture Guide: Intel Active Direction Engineering". Intel. June 26, 2008. Archived from the original on October 19, 2008. Retrieved August 12, 2008.
3. ^ ^{a b} "Remote Pc Management with Intel'due south vPro". Tom's Hardware Guide. Retrieved November 21, 2007.
4. ^ "Intel vPro Chipset Lures MSPs, System Builders". ChannelWeb. Retrieved August 1, 2007.
5. ^ "Intel Generally Launches Centrino 2 Notebook Platform". ChannelWeb. Retrieved July 1, 2008.
6. ^ ^{a b} "A new dawn for remote management? A commencement glimpse at Intel's vPro platform". ars technica. Retrieved November 7, 2007.
7. ^ ^{a b c d} "Revisiting vPro for Corporate Purchases". Gartner. Archived from the original on July 23, 2008. Retrieved August seven, 2008.
8. ^ "Answers to Ofttimes Asked Questions about libreboot". libreboot.org . Retrieved September 25, 2015.
9. ^ "Archived re-create". Archived from the original on April 14, 2012. Retrieved April 30, 2012. {{cite web}}: CS1 maint: archived copy equally title (link)
10. ^ ^{a b c d} "Intel Centrino two with vPro Technology" (PDF). Intel. Archived from the original (PDF) on March 15, 2008. Retrieved July 15, 2008.
11. ^ "Intel MSP". Msp.intel.com. Retrieved May 25, 2016.
12. ^ ^{a b} "Intel® Product Security Centre". Security-center.intel.com . Retrieved May seven, 2017.
13. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate. Retrieved May seven, 2017.
14. ^ ^{a b c} "Ruddy alert! Intel patches remote execution hole that'due south been hidden in fries since 2010". Theregister.co.united kingdom of great britain and northern ireland . Retrieved May 7, 2017.
15. ^ HardOCP: Purism Is Offer Laptops with Intel's Management Engine Disabled
16. ^ System76 to disable Intel Management Engine on its notebooks
17. ^ Garrison, Justin (March 28, 2011). "How to Remotely Control Your PC (Even When it Crashes)". Howtogeek.com . Retrieved May 7, 2017.
18. ^ "Open Manageability Programmer Tool Kit | Intel® Software". Software.intel.com . Retrieved May 7, 2017.
19. ^ "Intel vPro Technology". Intel. Retrieved July xiv, 2008.
20. ^ ^{a b c d e f thou} "Intel Active Management Applied science Organisation Defense force and Agent Presence Overview" (PDF). Intel. February 2007. Retrieved Baronial xvi, 2008.
21. ^ ^{a b c} "Intel Centrino 2 with vPro Technology". Intel. Archived from the original on March 15, 2008. Retrieved June thirty, 2008.
22. ^ ^{a b c} "New Intel-Based Laptops Advance All Facets of Notebook PCs". Intel. Archived from the original on July 17, 2008. Retrieved July xv, 2008.
23. ^ ^{a b} "Agreement Intel AMT over wired vs. wireless (video)". Intel. Archived from the original on March 26, 2008. Retrieved August fourteen, 2008.
24. ^ "Intel® vPro™ Technology". Intel.
25. ^ ^{a b} "Function iii: Post Deployment of Intel vPro in an Altiris Environs: Enabling and Configuring Delayed Provisioning". Intel (forum). Retrieved September 12, 2008.
26. ^ "Archived copy" (PDF). Archived from the original (PDF) on Jan 3, 2014. Retrieved July 20, 2013. {{cite spider web}}: CS1 maint: archived copy equally championship (link)
27. ^ "Archived copy". Archived from the original on Feb 20, 2011. Retrieved December 26, 2010. {{cite web}}: CS1 maint: archived copy as title (link)
28. ^ "Intel vPro Provisioning" (PDF). HP (Hewlett Packard). Retrieved June 2, 2008.
29. ^ "vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Engineering science" (PDF). HP (Hewlett Packard). Retrieved June 2, 2008. ^{[ permanent expressionless link ]}
30. ^ "Part four: Post Deployment of Intel vPro in an Altiris Environment Intel: Fractional UnProvDefault". Intel (forum). Retrieved September 12, 2008.
31. ^ "Technical Considerations for Intel AMT in a Wireless Environment". Intel. September 27, 2007. Retrieved August 16, 2008.
32. ^ "Intel Active Management Technology Setup and Configuration Service, Version 5.0" (PDF). Intel. Retrieved October xiii, 2018.
33. ^ "Intel AMT - Fast Call for Help". Intel. Baronial 15, 2008. Archived from the original on February xi, 2009. Retrieved Baronial 17, 2008. (Intel programmer'south blog)
34. ^ "Archived copy". Archived from the original on January 3, 2016. Retrieved January 16, 2016. {{cite web}}: CS1 maint: archived copy equally title (link)
35. ^ ^{a b} "Archived copy". Archived from the original on November 1, 2014. Retrieved February 25, 2014. {{cite web}}: CS1 maint: archived copy as title (link)
36. ^ ^{a b} Igor Skochinsky (Hex-Rays) Rootkit in your laptop, Ruxcon Breakpoint 2012
37. ^ "Intel Ethernet Controller I210 Datasheet" (PDF). Intel. 2013. pp. 1, 15, 52, 621–776. Retrieved Nov 9, 2013.
38. ^ "Intel Ethernet Controller X540 Product Cursory" (PDF). Intel. 2012. Retrieved February 26, 2014.
39. ^ "samples: mei: use /dev/mei0 instead of /dev/mei · torvalds/linux@c4a46ac". GitHub . Retrieved July 14, 2021.
40. ^ "Introduction — The Linux Kernel documentation". www.kernel.org . Retrieved July 14, 2021.
41. ^ ^{a b} Joanna Rutkowska. "A Quest to the Core" (PDF). Invisiblethingslab.com . Retrieved May 25, 2016.
42. ^ "Archived copy" (PDF). Archived from the original (PDF) on February 11, 2014. Retrieved Feb 26, 2014. {{cite web}}: CS1 maint: archived copy as championship (link)
43. ^ "Platforms II" (PDF). Users.nik.uni-obuda.hu . Retrieved May 25, 2016.
44. ^ ^{a b} "New Intel vPro Processor Technology Fortifies Security for Business PCs (news release)". Intel. August 27, 2007. Archived from the original on September 12, 2007. Retrieved August seven, 2007.
45. ^ "Intel® AMT Critical Firmware Vulnerability". Intel . Retrieved June 10, 2017.
46. ^ "Intel Software Network, engineer / developers forum". Intel. Archived from the original on August 13, 2011. Retrieved August nine, 2008.
47. ^ "Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology" (PDF). Intel. 2007.
48. ^ "Invisible Things Lab to present two new technical presentations disclosing organisation-level vulnerabilities affecting modern PC hardware at its core" (PDF). Invisiblethingslab.com. Archived from the original (PDF) on April 12, 2016. Retrieved May 25, 2016.
49. ^ "Berlin Institute of Applied science : FG Security in telecommunication : Evaluating "Ring-3" Rootkits" (PDF). Stewin.org. Archived from the original (PDF) on March 4, 2016. Retrieved May 25, 2016.
50. ^ "Persistent, Stealthy Remote-controlled Dedicated Hardware Malware" (PDF). Stewin.org. Archived from the original (PDF) on March 3, 2016. Retrieved May 25, 2016.
51. ^ "Security Evaluation of Intel'due south Active Management Technology" (PDF). Web.it.kth.se . Retrieved May 25, 2016.
52. ^ "CVE - CVE-2017-5689". Cve.mitre.org. Archived from the original on May 5, 2017. Retrieved May 7, 2017.
53. ^ "Intel Subconscious Direction Engine - x86 Security Run a risk?". Darknet. June 16, 2016. Retrieved May 7, 2017.
54. ^ Garrett, Matthew (May 1, 2017). "Intel'due south remote AMT vulnerablity". mjg59.dreamwidth.org . Retrieved May 7, 2017.
55. ^ ^{a b c} "2017-05-05 ALERT! Intel AMT EXPLOIT OUT! It'S BAD! DISABLE AMT At present!". Ssh.com\Accessdate=2017-05-07.
56. ^ Dan Goodin (May half-dozen, 2017). "The hijacking flaw that lurked in Intel chips is worse than anyone idea". Ars Technica. Retrieved May 8, 2017.
57. ^ "General: BIOS updates due to Intel AMT IME vulnerability - General Hardware - Laptop - Dell Community". En.community.dell.com . Retrieved May seven, 2017.
58. ^ "Advisory note: Intel Firmware vulnerability – Fujitsu Technical Support pages from Fujitsu Fujitsu Continental Europe, Center East, Africa & India". Back up.ts.fujitsu.com. May 1, 2017. Retrieved May 8, 2017.
59. ^ "HPE | HPE CS700 2.0 for VMware". H22208.www2.hpe.com. May 1, 2017. Retrieved May 7, 2017.
60. ^ "Intel® Security Advisory regarding escalation o... |Intel Communities". Communities.intel.com . Retrieved May seven, 2017.
61. ^ "Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation". Support.lenovo.com . Retrieved May vii, 2017.
62. ^ "MythBusters: CVE-2017-5689". Embedi.com. Archived from the original on May half dozen, 2017. Retrieved May 7, 2017.
63. ^ Charlie Demerjian (May 1, 2017). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate.com . Retrieved May 7, 2017.
64. ^ "Sneaky hackers use Intel management tools to bypass Windows firewall". Retrieved June 10, 2017.
65. ^ Tung, Liam. "Windows firewall dodged past 'hot-patching' spies using Intel AMT, says Microsoft - ZDNet". Retrieved June 10, 2017.
66. ^ "PLATINUM continues to evolve, discover means to maintain invisibility". Retrieved June x, 2017.
67. ^ "Malware Uses Obscure Intel CPU Feature to Steal Data and Avert Firewalls". Retrieved June 10, 2017.
68. ^ "Hackers corruption low-level direction feature for invisible backdoor". iTnews . Retrieved June 10, 2017.
69. ^ "Vxers exploit Intel's Active Management for malware-over-LAN • The Register". www.theregister.co.u.k. . Retrieved June 10, 2017.
70. ^ Security, heise. "Intel-Fernwartung AMT bei Angriffen auf PCs genutzt". Security . Retrieved June 10, 2017.
71. ^ "PLATINUM activeness group file-transfer method using Intel AMT SOL". Channel nine . Retrieved June 10, 2017.
72. ^ Researchers find most EVERY computer with an Intel Skylake and above CPU can exist owned via USB.
73. ^ "Intel® Management Engine Critical Firmware Update (Intel SA-00086)". Intel.
74. ^ "Intel Chip Flaws Leave Millions of Devices Exposed". Wired.
75. ^ "Disabling AMT in BIOS". software.intel.com . Retrieved May 17, 2017.
76. ^ "Are consumer PCs safe from the Intel ME/AMT exploit? - SemiAccurate". semiaccurate.com.
77. ^ "Intel x86s hide another CPU that can take over your auto (you tin can't inspect information technology)". Boing Boing. June fifteen, 2016. Retrieved May 11, 2017.
78. ^ "[coreboot] : AMT problems". Mail.coreboot.org. May 11, 2017. Retrieved June 13, 2017.
79. ^ "Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)". Social Media Marketing | Digital Marketing | Electronic Commerce. May 3, 2017. Retrieved May 17, 2017.
80. ^ "bartblaze/Disable-Intel-AMT". GitHub . Retrieved May 17, 2017.
81. ^ "mjg59/mei-amt-bank check". GitHub . Retrieved May 17, 2017.
82. ^ "Intel® AMT Critical Firmware Vulnerability". Intel . Retrieved May 17, 2017.
83. ^ "Positive Technologies Blog: Disabling Intel ME 11 via undocumented manner". Retrieved August 30, 2017.
84. ^ "Intel Patches Major Flaws in the Intel Direction Engine". Farthermost Tech.
85. ^ Vaughan-Nichols, Steven J. "Taurinus X200: Now the most 'Free Software' laptop on the planet - ZDNet".
86. ^ Kißling, Kristian. "Libreboot: Thinkpad X220 ohne Management Engine » Linux-Magazin". Linux-Magazin.
87. ^ online, heise. "Libiquity Taurinus X200: Linux-Notebook ohne Intels Management Engine". heise online.
88. ^ "Intel AMT Vulnerability Shows Intel's Direction Engine Can Exist Dangerous". May 2, 2017.
89. ^ "Purism Explains Why It Avoids Intel's AMT And Networking Cards For Its Privacy-Focused 'Librem' Notebooks". Tom'south Hardware. August 29, 2016. Retrieved May 10, 2017.
90. ^ "The Free Software Foundation loves this laptop, simply you lot won't".
91. ^ "FSF Endorses Withal Another (Outdated) Laptop - Phoronix". phoronix.com.

External links [edit]

• Open up AMT Cloud Toolkit
• MeshCentral2
• Intel Manageability Commander
• Implementing Intel AMT
• Intel Security Center
• Intel Active Management Applied science
• Intel Manageability Developer Community
• Intel vPro Expert Center
• Intel 82573E Gigabit Ethernet Controller (Tekoa)
• ARC4 Processor
• AMT videos (select the desktop channel)
• Intel AMT Client - Radmin Viewer 3.3
• Intel vPro/AMT as a hardware antivirus
• AMT Over the Internet Provisioning (OOB Managing director)
• Intel ME Secrets: Hidden code in your chipset and how to discover what exactly it does by Igor Skochinsky, talk at Lawmaking Blue 2014
• Using Intel AMT and the Intel NUC with Ubuntu

Share this post