Overview of AMT
AMT (included in Intel network chipset, usually high end laptop, PC, NOC..) provides out-of-band (OOB) management for Desktops and Laptops, using an agent integrated in the network adapter and in the motherboard.
?LibreBoot has described the Intel Management Engine (ME), foundation of the AMT solution, as a backdoor. Their concerns were proven to be well founded when Intel disclosed a critical security vulnerability in 2017. While Intel provided a fix for that issue, the source code has never been disclosed and so it is impossible for the community to eliminate other security faults or find out if backdoors have been deliberately concealed within ME/AMT/vPro technology.
Mitigating the risk
?LibreBoot has recommended getting rid of any modern Intel hardware as quickly as possible. They support older laptop models such as the Thinkpad X200 which does not suffer from these risks.
The me_cleaner project attempts to help remove most of the ME/AMT/vPro from more modern systems by modifying the BIOS. Some code (between 90 - 650 kb) is still left in the BIOS and executed at boot time.
AMT versions and features
Typical features and benefits of Intel Active Management Technology:
Out-of-Band system access => Allows remote management of platforms regardless of system power¹ or OS state (power on, power off...)
Proactive alerting => Decreases downtime and minimizes time-to-repair
Remote HW and SW asset tracking => Increase speed and accuracy over manual inventory tracking, reducing asset accounting costs
- Giving Intel, the NSA and anybody who has found a backdoor access to monitor your keystrokes, screen contents and contents of RAM, including any encryption keys
Note on AMT versions and protocol: New device with AMT >= 9.0 only support the WS-MAN / WS-Management protocol. That protocol was introduced in AMT >=3 to replace SOAP(EOI) (read Intel announcement). Most tools support only one of those protocols (so either AMT v1 to v3, or v3 to v9+)
Check this wiki page about AMT versions and features
Configuring the Management-Engine
Entreprise mode - In this mode, communications are authenticated using a certificate. .
Small Business (SMB) - In this mode, communications are authenticated using a password ('pre-shared secret'). .
Using
AMT/WebBrowser - Browser client.
AMT/SerialOverLan - AMT's Serial over Lan
?AMT/IDE-R - AMT's Remote IDE
Identify
Once the Managment Engine is enabled (not necessarily configured), lspci -nn will show :
00:03.0 Communication controller [0780]: Intel Corporation Mobile PM965/GM965 MEI Controller [8086:2a04] (rev 0c) 00:03.2 IDE interface [0101]: Intel Corporation Mobile PM965/GM965 PT IDER Controller [8086:2a06] (rev 0c) 00:03.3 Serial controller [0700]: Intel Corporation Mobile PM965/GM965 KT Controller [8086:2a07] (rev 0c)
- note the "MEI", "KT", and "IDER" Controllers.
Linux Tools
RFP: wsmancli -- Opensource Implementation of WS-Management - Command line utility (754505)
(other tools / possibilities: https://github.com/sdague/amt , or a WS-MAN compatible tool?)
See Also
http://www.intel.com/technology/platform-technology/intel-amt/ - Intel Active Management Technology.
http://softwarecommunity.intel.com/isn/home/manageability.aspx - Intel manageability stuffs.
http://www.openamt.org/ - Open Source Intel AMT Drivers and Tools (MEI/HECI and more).