Skip to main content

Intel AMT: the hardware backdoor in your laptop (and server) you CAN’T shut off

By May 11, 2017September 16th, 2020Blog, Hot Technology Topics, News, Security
Intel AMT Security Risk Graphic

Intel AMT in the News, What is it?

In early May 2017, many reports surfaced about a critical, remotely-exploitable hardware back door lurking in almost every business-class laptop manufactured in the last decade CVE-2017-5869. By now there are a hundred articles explaining and mis-explaining the severity of this problem. What you will find absolutely nowhere is any low-level documentation of exactly what AMT does. Most of the information about AMT comes from researchers that for years have been working on reverse-engineering the implementation.

Here is a basic explanation of what Intel AMT is and why on earth is it running in half the laptops in your enterprise (spoiler alert: it is). Intel Active Management Technology consists of 2 logical components: a Physical chip on your motherboard and the OOBM console & management tools.  This is the case for laptops, desktops servers, and some windows phones. OOBM toolset includes VNC connection, the ability to power on and off, Bios access through console, and access to the file system. Yes, this means your data.

Hold on a second, I’m not using AMT: Why do I care?

Well, you need to care because regardless of whether you are using it, the platform is running in your enterprise right now. Guaranteed. But doesn’t every modern server come with same exact feature set? While the capabilities of AMT are exactly on par with those of ILO or iDRACS, the key difference is the hardware implementation.

Let me ask you this, what choice do you have when it comes to using iDRACS and ILO? Well, to put it simply, to provision these OOBM tools, you need to plug a network cable into a dedicated NIC on the motherboard and you get to choose which subnet to route this traffic to. Or, where not to route it. You get to decide whether you are or aren’t putting a direct-to-motherboard VNC connection available on the internet.

No such choice with AMT. More importantly AMT is on by default, is hardwired to the first NIC on a laptop or server, cannot be switched off, and as of early May is Remotely Exploitable.

How to find if you have AMT:

Use WMI, SCCM, or auditing software of your choice to look for AMT and vPro

How to block AMT:

  1. On your firewall ports 16992, 16993, 16994, 16995, 623, and 664
  2. Update Bios Firmware
  3. Stop buying laptops with Hardware-based back-door

Contact PEI if you’d like us to perform an assessment and remediation of this vulnerability.

JacobR, PEI

Leave a Reply