Email or username:

Password:

Forgot your password?
number 1 windows xp hater's posts Post Back to profile
Top-level
JM Horner :blobcatcowboy:

@i_lost_my_bagel The idea of this REALLY bothered me, so I had to find out for myself. I am lucky [or perhaps UNlucky] enough to have an HP Elitebook 2760p here with Windows 10 on it. I had intentionally never installed the Intel Management Engine software on it, and in Device Manager I had an unknown device (I think it actually said PCI device). I tried Edge [it was creepy but I did it] and localhost:16992 produced a "can't reach this page" error message.

I then installed the IME software [HP driver sp55757 in this case] and was able to access the IME page on localhost:16992 with Edge. The "device" was also updated in Device Manager giving me the following two devices:

Intel Active Management Technology - SOL

Intel Management Engine Interface

You can decide for yourself what SOL stands for in the first one. I then uninstalled the IME software from Control Panel and upon reboot the devices stayed, but the service listening on port 16992 was gone. So I reinstalled the IME software and confirmed that the service was listening on 16992 again. Then opened the IME application via the systray icon and deselected

"Intel Management and Security Status will be available next time I log on to Windows."

After a reboot the service was not listening again.

So, it appears as though on my decade old vPro™️ laptop the service is provided by the IME software, and that not installing it (or disabling it) will keep the service from running in Windows 10. I have not tested it yet, but I am pretty confident that when I put Devuan back on here the service won't be listening. :blobcatcheer:
7 April at 15:02 | Wall-to-wall | Open on eattherich.club
13 comments
Riku Viitanen

@jmhorner @i_lost_my_bagel

It won't keep AMT from running. It is independent of any OS you control. ME and AMT are stored on the BIOS chip, in 2760p it's 8MiB (~5MB ME+AMT, ~3MB BIOS).

In my opinion, whether it's reachable at localhost is irrelevant. I'm more afraid of remote accesses. The ME coprocessor has unrestricted access to all memory and other hardware. NICs too, it can have its own MAC address as well).

7 April at 15:22 | Open on mas.to
Riku Viitanen

@jmhorner @i_lost_my_bagel

Luckily there's a solution:
me_cleaner: github.com/corna/me_cleaner

It'll remove all AMT code permanently, shrinking your ME firmware to under 100kB (just what's necessary to disable a watchdog timer).

Btw, there's also coreboot available for that elitebook, in case you want to get rid of the HP BIOS entirely :)

7 April at 15:38 | Open on mas.to
JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel Okay... I get that localhost based services are of little use remotely. So, how would (1) anyone remotely access IME or (2) IME send any data to a remote location on its own?

7 April at 15:41 | Open on eattherich.club
number 1 windows xp hater

@jmhorner @riku the localhost part is just a small web interface that does nothing but tell you some system status. It can't do anything useful.

You can use github.com/Ylianst/MeshCommand to connect to it from another computer and access all the fun stuff.
7 April at 15:42 | Open on mastodon.lilysthings.org
Riku Viitanen

@jmhorner @i_lost_my_bagel By sending/receiving packets to an Intel network card on that machine. ME coprocessor has access to those, and can configure them how it wishes.

7 April at 15:46 | Open on mas.to
JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

So, in order for someone "not on my network" to interact with AMT, is it fair to say that:

- I'd have to either specifically setup AMT in my BIOS or buy a device that has already been setup

- I'd have to have the IME software installed and the two IME services running in Windows

- I'd have to be connected via Ethernet rather than WiFi and

- I'd have to have the appropriate port forwarded on my IPv4 NAT-based gateway or have IPv6 setup on my home network

Or is there really some way for someone to remotely interact with AMT even if one or more of those points is not met? While I am disappointed that Intel would put that kind of crap "in a processor", I can't say I am surprised. So, should I see it as being any more of a security problem than something like DRAC or iLO?

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

7 April at 17:38 | Open on eattherich.club
Riku Viitanen

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

i'm not confident i could fully secure it, so i always apply me_cleaner.

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

7 April at 19:43 | Open on mas.to
JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking my word for it.

I think the part that irritates me most is how [as you just said] it is not possible to audit the code, and that it could be already setup when buying a used device. The damage *should* still be limited to the local LAN, but it *should* have a more obvious "off button".

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking...

7 April at 19:51 | Open on eattherich.club
Riku Viitanen

@jmhorner @i_lost_my_bagel

yeah, this has been widely known and criticised ever since intel first introduced it. clearly not widely enough, if users still don't know about it.

those version numbers refer to specific chipset generations btw, since the ime is inside the pch. so 6.0 is ibex peak, not exactly bleeding edge.

i very much think only code that i approve of should run on my machine. it's the principle.

7 April at 20:32 | Open on mas.to
number 1 windows xp hater

@jmhorner that wont stop anything. I've used the KVM features of it with linux. You might not be able to get to the web interface on the local machine but it's still running.

7 April at 15:34 | Open on mastodon.lilysthings.org
PCLMULQDQ

@i_lost_my_bagel @jmhorner do you know how to get the kvm working :( the documentation makes me feel dumb and meshcommander doesn't say anything about kvm

8 April at 20:34 | Open on mstdn.party
Jernej Simončič �

@jmhorner @i_lost_my_bagel SOL = Serial Over LAN – it's a virtual serial port.

7 April at 18:18 | Open on infosec.exchange
JM Horner :blobcatcowboy:

@jernej__s @i_lost_my_bagel Thanks eh... that's much more polite than what I was thinking. :-)

7 April at 18:29 | Open on eattherich.club
Go Up