This article contains promotional content .(March 2019) |
Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, [1] [2] running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. [1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents. [1]
Hardware-based management works at a different level from software applications and uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or a locally installed management agent. Hardware-based management has been available on Intel/AMD-based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems. [3] AMT is not intended to be used by itself; it is intended to be used alongside a software management application. [1] It gives a management application (and thus, the system administrator who uses it) access to the PC down the wire, to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it. [1] [4] [5]
AMT is designed into a service processor located on the motherboard and uses TLS-secured communication and strong encryption to provide additional security. [6] AMT is built into PCs with Intel vPro technology and is based on the Intel Management Engine (ME). [6] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management. [7] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.
Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i5, Core i7, Core i9, and Intel Xeon E3-1000, Xeon E, Xeon W-1000 product family. [1] [8] [9] AMT also requires an Intel networking card and the corporate version of the Intel Management Engine binary. [10]
Intel confirmed a Remote Elevation of Privilege bug (CVE - 2017-5689, SA-00075) in its Management Technology on May 1, 2017. [11] Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME. [12] [13] Some manufacturers, like Purism [14] and System76 [15] are already selling hardware with Intel Management Engine disabled to prevent the remote exploit. Additional major security flaws in the ME affecting a very large number of computers incorporating Management Engine, Trusted Execution Engine, and Server Platform Services firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on November 20, 2017 (SA-00086).
Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor (ISV) or value added reseller (VAR).
Intel itself provides a developer's toolkit software package that allows basic access to iAMT, but is not intended to be normally used to access the technology. [16] Only basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system. [17]
Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that enable independent remote access to AMT-enabled PCs. [5] Intel AMT is security and management technology that is built into PCs with Intel vPro technology. [1]
Intel AMT uses a hardware-based out-of-band (OOB) communication channel [1] that operates regardless of the presence of a working operating system. The communication channel is independent of the PC's power state, the presence of a management agent, and the state of many hardware components such as hard disk drives and memory.
Most AMT features are available OOB, regardless of PC power state. [1] Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering). [1] Intel AMT has remote power-up capability.
Hardware-based features can be combined with scripting to automate maintenance and service. [1]
Hardware-based AMT features on laptop and desktop PCs include:
Laptops with AMT also include wireless technologies:
Software updates provide upgrades to the next minor version of Intel AMT. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware. [6]
Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed. [1] [6] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up. [1] [6]
Intel AMT supports these management tasks:
From major version 6, Intel AMT embeds a proprietary VNC server, for out-of-band access using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle – including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).
AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning ("one-touch" provisioning), manual provisioning [1] and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT. [19]
The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.) [5] Remote deployment, until recently, was only possible within a corporate network. [22] Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically. [1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console. [23] As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods. [24]
PCs can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build. [19]
AMT includes a Privacy Icon application, called IMSS, [25] that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.
AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology. [1] [23] [26] [27]
AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings. [28] A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.
Once AMT is disabled, to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:
There is a way to totally reset AMT and return to factory defaults. This can be done in two ways:
Setup and integration of AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.
All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware. [1] AMT communication depends on the state of the Management Engine, not the state of the PC's OS.
As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware. [1] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.
Intel AMT supports wired and wireless networks. [1] [8] [20] [29] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.
AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall. [1] [30] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication. [1] [31] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.
Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.
An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company's management servers. [1]
Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC. [1]
The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional [32] part in all current (as of 2015 [update] ) Intel chipsets. [33]
Starting with ME 11, it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS). [34] Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS from Express Logic. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor could also execute signed Java applets.
The ME shares the same network interface and IP as the host system. Traffic is routed based on packets to ports 16992–16995. Support exists in various Intel Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP). [35] [36] The ME also communicates with the host via PCI interface. [34] Under Linux, communication between the host and the ME is done via /dev/mei
[33] or more recently [37] /dev/mei0
. [38]
Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout. [39] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH). [40] [41]
Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.
Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password. [1] [6]
Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed. [1] [6] [42]
Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date by the operating system's normal update mechanism. Security defects in the AMT software can therefore be particularly severe, as they will remain long after they have been discovered and become known to potential attackers.
On May 15, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies". [43] Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices.
While some protocols for in-band remote management use a secured network communication channel (for example Secure Shell), some other protocols are not secured. Thus some businesses have had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs. [1]
Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco Self-Defending Network, and Microsoft NAP. [1]
All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:
Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in. [1] [6] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.
Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.
Support for different security postures depends on the AMT release:
AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management. [1] [6] [42] AMT security technologies and methodologies include:
As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.
A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset, as Intel implemented additional protections. [46] The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits. [39] ) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin. [47] [48]
Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers. [49]
In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege-escalation vulnerability (CVE - 2017-5689). [13] [50] [11] [51] [52] The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel, [53] affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and possibly others. [53] [54] [55] [56] [57] [58] [59] Those researchers claimed that the bug affects systems made in 2010 or later. [60] Other reports claimed that the bug also affects systems made as long ago as 2008. [12] [13] The vulnerability was described as giving remote attackers:
full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data.
— Tatu Ylönen, ssh.com [53]
The remote user authorization process included a programmer error: it compared the user-given authorization token hash (user_response
) to the true value of the hash (computed_response
) using this code:
strncmp(computed_response, user_response, response_length)
The vulnerability was that response_length
was the length of the user-given token and not of the true token.
Since the third argument for strncmp
is the length of the two strings to be compared, if it is less than the length of computed_response
, only a part of the string will be tested for equality. Specifically, if user_response
is the empty string (with length 0), this "comparison" will always return true, and thus validate the user. This allowed any person to simply log into the admin
account on the devices by editing their sent HTTP packet to use the empty string as the response
field's value.
In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents. [61] [62] [63] [64] [65] [66] [67] [68]
In November 2017 serious flaws were detected in the Management Engine (ME) firmware by security firm Positive Technologies, who claimed to have developed a working exploit of this system for someone having physical access to a USB port. [69] On November 20, 2017, Intel confirmed that a number of serious flaws had been found in the Management Engine, Trusted Execution Engine, Server Platform Services and released a "critical firmware update". [70] [71]
PCs with AMT typically provide an option in the BIOS menu to switch off AMT, though OEMs implement BIOS features differently, [72] and therefore the BIOS is not a reliable method to switch off AMT. Intel-based PCs that shipped without AMT are not supposed to be able to have AMT installed later. However, as long as the PC's hardware is potentially capable of running the AMT, it is unclear how effective these protections are. [73] [74] [75] Presently, there are mitigation guides [76] and tools [77] to disable AMT on Windows, but Linux has only received a tool to check whether AMT is enabled and provisioned on Linux systems. [78] The only way to actually fix this vulnerability is to install a firmware update. Intel has made a list of updates available. [79] Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on, unless it is not enabled at all by the OEM. [80] [81]
In 2015, a small number of competing vendors began to offer Intel-based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns. [82] [83] [84] [85] [10] [86] [87]
In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The firmware comes pre-installed on the computer's motherboard.
Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995. The standard saw quick adoption thereafter through IBM, Intel and others.
Unified Extensible Firmware Interface is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. Examples include AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.
American Megatrends International, LLC, doing business as AMI, is an international hardware and software company, specializing in PC hardware and firmware. The company was founded in 1985 by Pat Sarma and Subramonian Shankar. It is headquartered in Building 800 at 3095 Satellite Boulevard in unincorporated Gwinnett County, Georgia, United States, near the city of Duluth, and in the Atlanta metropolitan area.
The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware and operating system. IPMI defines a set of interfaces used by system administrators for out-of-band management of computer systems and monitoring of their operation. For example, IPMI provides a way to manage a computer that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell. Another use case may be installing a custom operating system remotely. Without IPMI, installing a custom operating system may require an administrator to be physically present near the computer, insert a DVD or a USB flash drive containing the OS installer and complete the installation process using a monitor and a keyboard. Using IPMI, an administrator can mount an ISO image, simulate an installer DVD, and perform the installation remotely.
Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management, auto configuration, and status monitoring. It was first released in December 1996. ACPI aims to replace Advanced Power Management (APM), the MultiProcessor Specification, and the Plug and Play BIOS (PnP) Specification. ACPI brings power management under the control of the operating system, as opposed to the previous BIOS-centric system that relied on platform-specific firmware to determine power management and configuration policies. The specification is central to the Operating System-directed configuration and Power Management (OSPM) system. ACPI defines hardware abstraction interfaces between the device's firmware, the computer hardware components, and the operating systems.
Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.
System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.
Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:
The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.
Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched, it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.
PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is engineered to support the creation of certifiable smart devices for the Internet of Things (IoT), ensuring compliance with industry standards for quality, safety, and security across various sectors. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.
The HP Pavilion dv9000 was a model series of laptops manufactured by Hewlett-Packard Company that featured 16:10 17.0" diagonal displays.
Intel Active Management Technology (AMT) is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system (OS) is unavailable (hung, crashed, corrupted, missing), software management agents are missing, or hardware (such as a hard disk drive or memory) has failed.
Absolute Home & Office is a proprietary laptop theft recovery software. The persistent security features are built into the firmware of devices. Absolute Home & Office has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners. Absolute Software licensed the name LoJack from the vehicle recovery service LoJack in 2005.
InstantGo, also known as InstantOn or Modern Standby, is a Microsoft specification for Windows 8 hardware and software that aims to bring smartphone-type power management capabilities to the PC platform, as well as increasing physical security.
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.
Librem is a line of computers manufactured by Purism, SPC featuring free (libre) software. The laptop line is designed to protect privacy and freedom by providing no non-free (proprietary) software in the operating system or kernel, avoiding the Intel Active Management Technology, and gradually freeing and securing firmware. Librem laptops feature hardware kill switches for the microphone, webcam, Bluetooth and Wi-Fi.
Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
{{cite web}}
: CS1 maint: archived copy as title (link){{cite web}}
: CS1 maint: archived copy as title (link){{cite web}}
: CS1 maint: archived copy as title (link){{cite web}}
: CS1 maint: archived copy as title (link)