Intel AMT on wireless networks

May. 9th, 2017 01:00 pm
[personal profile] mjg59
More details about Intel's AMT vulnerablity have been released - it's about the worst case scenario, in that it's a total authentication bypass that appears to exist independent of whether the AMT is being used in Small Business or Enterprise modes (more background in my previous post here). One thing I claimed was that even though this was pretty bad it probably wasn't super bad, since Shodan indicated that there were only a small number of thousand machines on the public internet and accessible via AMT. Most deployments were probably behind corporate firewalls, which meant that it was plausibly a vector for spreading within a company but probably wasn't a likely initial vector.

I've since done some more playing and come to the conclusion that it's rather worse than that. AMT actually supports being accessed over wireless networks. Enabling this is a separate option - if you simply provision AMT it won't be accessible over wireless by default, you need to perform additional configuration (although this is as simple as logging into the web UI and turning on the option). Once enabled, there are two cases:
  1. The system is not running an operating system, or the operating system has not taken control of the wireless hardware. In this case AMT will attempt to join any network that it's been explicitly told about. Note that in default configuration, joining a wireless network from the OS is not sufficient for AMT to know about it - there needs to be explicit synchronisation of the network credentials to AMT. Intel provide a wireless manager that does this, but the stock behaviour in Windows (even after you've installed the AMT support drivers) is not to do this.
  2. The system is running an operating system that has taken control of the wireless hardware. In this state, AMT is no longer able to drive the wireless hardware directly and counts on OS support to pass packets on. Under Linux, Intel's wireless drivers do not appear to implement this feature. Under Windows, they do. This does not require any application level support, and uninstalling LMS will not disable this functionality. This also appears to happen at the driver level, which means it bypasses the Windows firewall.
Case 2 is the scary one. If you have a laptop that supports AMT, and if AMT has been provisioned, and if AMT has had wireless support turned on, and if you're running Windows, then connecting your laptop to a public wireless network means that AMT is accessible to anyone else on that network[1]. If it hasn't received a firmware update, they'll be able to do so without needing any valid credentials.

If you're a corporate IT department, and if you have AMT enabled over wifi, turn it off. Now.

[1] Assuming that the network doesn't block client to client traffic, of course
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2017-05-09 09:00 pm (UTC)
From: (Anonymous)
Is there a script that Linux users can run, locally, that will check if AMT is enabled/provisioned/provisionable/etc?

Or, is there a procedure Linux users can follow to manually detect this?

quick check for ports

Date: 2017-05-10 02:15 pm (UTC)
From: (Anonymous)
This does not address your question about provisionability, and takes Intel's information at face-value[1]

netstat -na | grep -E '(16993|16992|16994|16995|623|664)'

1. https://downloadcenter.intel.com/download/26754

Re: quick check for ports

Date: 2017-05-10 02:56 pm (UTC)
dimview: (Default)
From: [personal profile] dimview
Shouldn't it be -Ew rather -E? Otherwise you'll get partial matches.

Re: quick check for ports

Date: 2017-05-10 03:03 pm (UTC)
From: (Anonymous)
-Ew seems to be correct $ netstat -na | grep -E '(16993|16992|16994|16995|623|664)' tcp6 223 0 fe80::c83d:66ff:.8770 fe80::b80c:4aff:.55664 CLOSE_WAIT $ netstat -na | grep -Ew '(16993|16992|16994|16995|623|664)' $ p.s. matthew - in your "about" the link to google is missing an 'o'

Re: quick check for ports

Date: 2017-05-10 05:05 pm (UTC)
From: [personal profile] mjg59
No! Unless you have the software agent installed, these ports won't be open at the OS level. The ME grabs the packets before the OS knows about them.

Re: quick check for ports

Date: 2017-05-10 07:20 pm (UTC)
From: (Anonymous)
Hi. What about pointing your browser to those ports?

Re: quick check for ports

Date: 2017-05-10 08:14 pm (UTC)
From: [personal profile] mjg59
Won't work from localhost. You need to check from a remote machine.

Some guidance for you

Date: 2019-10-18 06:14 am (UTC)
From: (Anonymous)
Hi - I am with Intel, and I'm focused on the Intel vPro platform which includes Intel Active Management Technology.

I briefed through your post, and admittedly I may have missed some points due to the quick read through. However, I did find that you're missing some important information. Perhaps it's because the post was over 2 years ago. A few things have changed:

- Have you looked at Intel Security Center? See https://www.intel.com/content/www/us/en/security-center/default.html I find it absolutely amazing that product released in 2006 has minimal technical advisories which incidentally have all been address!

- Have more bugs that you'd like to submit, and possibly get paid for it? Check out Intel Bug Bounty Program at https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html. Isn't it wonderful that a top tier company is willing to be so transparent? That's sometimes a really hard find... Like a beautiful person you might be interested in, don't let them go ;-)

- When you configured Intel AMT wireless settings, did you set the Home Domain value? If set, and you're outside that domain (i.e. on the Internet), all Intel AMT ports are closed. Only an Intel AMT initiated outbound request will work. We called it Client Initiated Remote Access (CIRA) and it's an important found to some exciting items that are happen.

- Did you know that all Intel AMT communications require an authenticate and authorized request BEFORE any commands are sent or sessions started? Even better, if you configure it correctly, all communications are TLS 1.2 encrypted. (yeah, yeah - I know - what about TLS 1.3? We know, we're addressing that). Take a look at https://intel.com/implementamt - a lot of information linked off of that site.

- Did you know the Intel AMT over wireless requires Intel AMT to first be configured? Configuring Intel AMT sets a strong password on the administrator account (i.e. At least 8 alphanumeric characters, at least on special character, etc)

- Have you perused https://intel.com/implementamt? Don't know about you, but I highly encourage going to the source for factual truths.

- Have you checked out https://meshcentral.com ? Really good info there... you could setup your own friends and family IT administration capability. I did. It's cool

Oh - and I invite you view this latest LinkedIn posting - https://www.linkedin.com/feed/update/urn:li:activity:6590747566298791936/ - again, more factual truths.

If you'd like, follow me on Reddit at https://www.reddit.com/user/tccutler/

Have a nice day!

#iamintel
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. [personal profile] mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.

Page Summary

Expand Cut Tags

No cut tags