Email or username:

Password:

Forgot your password?
Top-level
Riku Viitanen

@jmhorner @i_lost_my_bagel By sending/receiving packets to an Intel network card on that machine. ME coprocessor has access to those, and can configure them how it wishes.

4 comments
JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

So, in order for someone "not on my network" to interact with AMT, is it fair to say that:

- I'd have to either specifically setup AMT in my BIOS or buy a device that has already been setup

- I'd have to have the IME software installed and the two IME services running in Windows

- I'd have to be connected via Ethernet rather than WiFi and

- I'd have to have the appropriate port forwarded on my IPv4 NAT-based gateway or have IPv6 setup on my home network

Or is there really some way for someone to remotely interact with AMT even if one or more of those points is not met? While I am disappointed that Intel would put that kind of crap "in a processor", I can't say I am surprised. So, should I see it as being any more of a security problem than something like DRAC or iLO?

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

Riku Viitanen

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

i'm not confident i could fully secure it, so i always apply me_cleaner.

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking my word for it.

I think the part that irritates me most is how [as you just said] it is not possible to audit the code, and that it could be already setup when buying a used device. The damage *should* still be limited to the local LAN, but it *should* have a more obvious "off button".

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking...

Riku Viitanen

@jmhorner @i_lost_my_bagel

yeah, this has been widely known and criticised ever since intel first introduced it. clearly not widely enough, if users still don't know about it.

those version numbers refer to specific chipset generations btw, since the ime is inside the pch. so 6.0 is ibex peak, not exactly bleeding edge.

i very much think only code that i approve of should run on my machine. it's the principle.

Go Up