Overclock.net › Forums › Intel › Intel Motherboards › Intel AMT offers Backdoor
New Posts  All Forums:Forum Nav:

Intel AMT offers Backdoor

post #1 of 7
Thread Starter 
Now I fully expect those who have a need for the Intel AMT feature to pitch a fit but it's only useful in a corporate/business environment where folks expect it to be. It is not useful to 95 percent of the home users who haven't even got a clue what it is for and we need informattion on what chipsets tend to include it.

From what I've been able to find out, Intel's AMT is a full blown alternative CPU on the motherboard. This means the features it includes are not fully known other then Wake on Lan/Remote Management - what does "Remote Management" actually mean? There is no trusted information available to home users in regards to this.

My current board - Asrock Q87M vPro has a subset of AMT marketed as "Small Business Advantage" and even though I have all of the features supposedly disabled in the firmware, Windows is still asking for a driver; meaning it's not off as the firmware claims becuase normally, when I disable something in the firmware (onboard nic/audio/usb3) Windows never see's it and doesn't ask for a driver so if I sound a bit paranoid you're damn right and the question now is "Am I paranoid enough?"

Don't get me wrong about the feature as it's quite useful in a corporate/business environment where it's understood but as a home user/small business owner it offers nothing I actually need as many of us think "Remote Management" Means from across the room.

Here's the feature set from Newegg
http://www.newegg.com/Product/Product.aspx?Item=N82E16813157397
A-Style : Home Cloud

Supports 4th Gen Intel Core i7 / i5 / i3 / Xeon / Pentium / Celeron in LGA1150 Package

Supports Intel Small Business Advantage 2.0, Intel vPro Technology
(Explained - Must Read if you don't know)
https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/intelsbtcapabilitiesandlimitations.htm

(What are the Implications explained here)
http://semiaccurate.com/2012/05/15/intel-small-business-advantage-is-a-security-nightmare/

All Solid Capacitor design

Supports Dual Channel DDR3 1600

1 x PCIe 3.0 x16, 2 x PCIe 2.0 x1, 1 x PCI

Multi VGA Output Options : DVI-D, D-Sub, HDMI, DisplayPort

Intel Gigabit LAN

5.1 CH HD Audio (Realtek ALC662 Audio Codec)

6 x SATA3, 6 x USB 3.0, 6 x USB 2.0

Supports A-Tuning, XFast 555, Easy Driver Installer, FAN-Tastic Tuning, USB Key

Even though Intel markets it under the vPro "Small Business Advantage" label, there is absolutely nothing in the marketing speak about it being a remote admin/control feature and due to this, I have to say that I will never trust Intel again. I don't care that it's more efficient or better, I dislike being sold a major vulnerability that every tom/dick/harry and their kid brother can use to gain access to my computer for what ever reason they want.
post #2 of 7
Intel AMT and Intel SBA is a part (a module) of Intel ME.
You can disable Intel ME in your EFI/BIOS.
But you must remember that all the modern Intel systems constracted to use Intel ME in the mode ON by default.
post #3 of 7
You know at least Intel is telling you what AMT and SBA do, and their remote control functions. Imagine how much backdoor access Windows offers the government and doesn't tell you.
X99 Main Rig
(10 items)
 
  
CPUMotherboardGraphicsRAM
Intel 5960X Extreme Edition @ 4.5GHz Always Changing VisonTek R9 290 G.Skill Ripjaws 4 16GB (4x4GB) DDR4 @ 3200MHz 
Hard DriveHard DriveHard DriveCooling
Samsung 128GB M.2 PCI-E 4x SSD Apotop 256GB SSD 1.82TB NAS Noctua NH-D15 with both fans 
OSPower
Win7 Pro Enermax 1000W 
  hide details  
Reply
X99 Main Rig
(10 items)
 
  
CPUMotherboardGraphicsRAM
Intel 5960X Extreme Edition @ 4.5GHz Always Changing VisonTek R9 290 G.Skill Ripjaws 4 16GB (4x4GB) DDR4 @ 3200MHz 
Hard DriveHard DriveHard DriveCooling
Samsung 128GB M.2 PCI-E 4x SSD Apotop 256GB SSD 1.82TB NAS Noctua NH-D15 with both fans 
OSPower
Win7 Pro Enermax 1000W 
  hide details  
Reply
post #4 of 7
Thread Starter 
On the AMT issue, I was familiar with some of the security issues and no, you can't disable it in the Bios/Firmware as it's a specially dedicated chip. You can mitigate most of the issues with it by blocking the Communication ports the feature uses (16992/16993) and with some basic setup (strong management pw and such) you're pretty much golden.

vPro though is different as Intel sells it as Improved Security (AES-NI/RNG) and doesn't tell you that it includes Remote management features so you never think to look further due to the Smoke and Mirrors. mad.gif The other issue is that of the 98 Haswell based CPU's Intel currently lists, only 48 of them don't have it and no, I didn't bother checking the other sockets to get an idea how wide spread it is. Due to this issue, I ordered a new CPU (Pentium K unlocked) without the damn vPro - money I wasn't planning on spending until I upgraded the video later this year.

As to trusting MS? smile.gif I've never trusted them since the DOS 6.21 (DoubleStack violation). Our first computer was a TRS80/4P with a whopping 15M External Winchester disk and it was half the cost of an IBM PC at the time at $4,000.00 for the entire setup. Still works even today if I needed to use it for some reason.
post #5 of 7
If you are paranoid you can flash over the ME firmware with something like Intel's flash programing tool, which is a pretty sure fire way to disable it (my X79S-UP5 worked just fine with that section of the BIOS filled with zeros).

Even with the correct/updated firmware installed, it doesn't transmit any data anywhere unless it's enabled and setup.
Primary
(15 items)
 
Secondary
(13 items)
 
In progress
(10 items)
 
CPUMotherboardGraphicsRAM
5820K @ 4.2/3.5GHz core/uncore, 1.175/1.15v Gigabyte X99 SOC Champion (F22n) Gigabyte AORUS GTX 1080 Ti (F3P) @ 2025/1485, 1... 4x4GiB Crucial @ 2667, 12-12-12-28-T1, 1.34v 
Hard DriveHard DriveHard DriveCooling
Plextor M6e 128GB (fw 1.06) M.2 (PCI-E 2.0 2x) 2x Crucial M4 256GB 4x WD Scorpio Black 500GB Noctua NH-D15 
OSMonitorKeyboardPower
Windows 7 Professional x64 SP1 BenQ BL3200PT Filco Majestouch Tenkeyless (MX Brown) Corsair RM1000x 
CaseMouseAudio
Fractal Design Define R4 Logitech G402 Realtek ALC1150 + M-Audio AV40 
CPUMotherboardGraphicsRAM
X5670 @ 4.4/3.2GHz core/uncore, 1.36 vcore, 1.2... Gigabyte X58A-UD5 r2.0 w/FF3mod10 BIOS Sapphire Fury Nitro OC+ @ 1053/500, 1.225vGPU/1... 2x Samsung MV-3V4G3D/US @ 2000, 10-11-11-30-T1,... 
RAMHard DriveHard DriveHard Drive
1x Crucial BLT4G3D1608ET3LX0 @ 2000, 10-11-11-3... OCZ (Toshiba) Trion 150 120GB Hyundai Sapphire 120GB 3x Hitachi Deskstar 7k1000.C 1TB 
CoolingOSPowerCase
Noctua NH-D14 Windows 7 Pro x64 SP1 Antec TP-750 Fractal Design R5 
Audio
ASUS Xonar DS 
CPUMotherboardGraphicsRAM
i7-6800K @ 4.3/3.5GHz core/uncore, 1.36/1.2v ASRock X99 OC Formula (P3.10) GTX 780 (temporary) 4x4GiB Crucial DDR4-2400 @ 11-13-12-28-T2, 1.33v 
Hard DriveHard DriveCoolingOS
Intel 600p 256GB NVMe 2x HGST Travelstar 7k1000 1TB Corsair H55 (temporary) Windows Server 2016 Datacenter 
PowerCase
Seasonic SS-860XP2 Corsair Carbide Air 540 
  hide details  
Reply
Primary
(15 items)
 
Secondary
(13 items)
 
In progress
(10 items)
 
CPUMotherboardGraphicsRAM
5820K @ 4.2/3.5GHz core/uncore, 1.175/1.15v Gigabyte X99 SOC Champion (F22n) Gigabyte AORUS GTX 1080 Ti (F3P) @ 2025/1485, 1... 4x4GiB Crucial @ 2667, 12-12-12-28-T1, 1.34v 
Hard DriveHard DriveHard DriveCooling
Plextor M6e 128GB (fw 1.06) M.2 (PCI-E 2.0 2x) 2x Crucial M4 256GB 4x WD Scorpio Black 500GB Noctua NH-D15 
OSMonitorKeyboardPower
Windows 7 Professional x64 SP1 BenQ BL3200PT Filco Majestouch Tenkeyless (MX Brown) Corsair RM1000x 
CaseMouseAudio
Fractal Design Define R4 Logitech G402 Realtek ALC1150 + M-Audio AV40 
CPUMotherboardGraphicsRAM
X5670 @ 4.4/3.2GHz core/uncore, 1.36 vcore, 1.2... Gigabyte X58A-UD5 r2.0 w/FF3mod10 BIOS Sapphire Fury Nitro OC+ @ 1053/500, 1.225vGPU/1... 2x Samsung MV-3V4G3D/US @ 2000, 10-11-11-30-T1,... 
RAMHard DriveHard DriveHard Drive
1x Crucial BLT4G3D1608ET3LX0 @ 2000, 10-11-11-3... OCZ (Toshiba) Trion 150 120GB Hyundai Sapphire 120GB 3x Hitachi Deskstar 7k1000.C 1TB 
CoolingOSPowerCase
Noctua NH-D14 Windows 7 Pro x64 SP1 Antec TP-750 Fractal Design R5 
Audio
ASUS Xonar DS 
CPUMotherboardGraphicsRAM
i7-6800K @ 4.3/3.5GHz core/uncore, 1.36/1.2v ASRock X99 OC Formula (P3.10) GTX 780 (temporary) 4x4GiB Crucial DDR4-2400 @ 11-13-12-28-T2, 1.33v 
Hard DriveHard DriveCoolingOS
Intel 600p 256GB NVMe 2x HGST Travelstar 7k1000 1TB Corsair H55 (temporary) Windows Server 2016 Datacenter 
PowerCase
Seasonic SS-860XP2 Corsair Carbide Air 540 
  hide details  
Reply
post #6 of 7
Quote:
Originally Posted by fastturtle View Post

you can't disable it in the Bios/Firmware
BIOS­ - Advanced - Disable ME
https://yadi.sk/i/nd6Bzuj6ecrCF
Quote:
You can mitigate most of the issues with it by blocking the Communication ports the feature uses (16992/16993)
No, you can`t. In CIRA mode for remote control by AMT it does not need any open ports.
post #7 of 7
Thread Starter 
Been a while and I don't like bumping older threads but this one is important.

AppleRom: The first thing is, you're firmware/bios has to have an option visble to the End-User to even see that the ME is there. Most of these motherboards don't even acknowledge the existence of the ME and the features aren't there to disable anything and with my paranoia in regards to the ME, I doubt if they're disabling things in a manner that's provable to you and me.

Blameless: Keep in mind that the AMT/ME is a completely seperate CPU/Firmware for the express purpose of determing what is wrong with a server that can't boot. This means it can look at the board and tell if the CPU or RAM is dead, read the disks and it's all baked right into the ICH9 and later chipsets. The question isn't who, we already know that it's Intel. The real question is why as the feature simply doesn't have a business use for home computers yet Intel has baked it into every ICH chip that's installed on any Intel based motherboard - this includes Apple systems now.

AppleRom: The Core/Open Boot folks have been working on an Opensource Firmware/Bios and even they haven't been able to figure out how to disable the AMT/ME that's now baked into the Intel ICH chips. That's right, These folks who know what they're doing haven't been able to figure it out without replacing the ICH itself, so I doubt you're better then they are.

Everyone: Since AMD is no longer a valid Business option - I'm not even sure they're chips are clear as many of the boards I've seen with AMD options are using Intel NIC's (did they build a feature into their NICS?) due to performance. It becomes a question of who do we trust? If it's a politician or corporation, I don't trust them any further then I could throw them and as SpiderMan would say "Spidy Senses Tingling" but as a Turtle, I don't have Spider Senses but my Turtle Sense are screaming "Danger, Danger, Danger". One of the mitigations that can be taken if you're behind a decent router is to block the 16992:16993 ports (tcp/udp:all) to at least mitigate some of the potential from outside.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Intel Motherboards
Overclock.net › Forums › Intel › Intel Motherboards › Intel AMT offers Backdoor