🥷 (RTP) Privacy Tech Tips 📡
68 прихильники(ів)
💻 Intel Management Engine / AMT: Proble ...

💻 Intel Management Engine / AMT: Problems + Solutions

Oct 19, 2021

NOTE: coreboot / libreboot / neuter process requires flash clip. If not careful, you *can brick your system. Be prepared for this and backup first, in case. Otherwise, solution providers that take care of this listed below (fyi: not all coreboot laptops come with intel management engine neutered).


SOLUTION: 💻 Coreboot Linux laptops (USA SERVICE) -- supports independent content creation here. 📨 contact: happy to answer questions on service.

Goal: share solutions wherever possible to problems presented here.

Elsewhere in the world, many other options / companies offering listed down below (not affiliates).


🛰️ ACTIVE MANAGEMENT TECHNOLOGY (AMT)

If you aren't aware, previous video goes over some of the capabilities of Intel Management Engine, some of the known / public options available seeking to disable it (in certain PC), and other recent mentions (UEFI):

https://www.youtube.com/watch?v=bq4aPvxzxcc&list=PLba3feUDrXrqztbBKNm0NtIZk3Ms4K2Ui

WHY DOES THIS EXIST IN MY MACHINE AGAIN?

From Intel Website: "Built into many Intel® Chipset–based platforms is a small, low-power computer subsystem called the Intel® Management Engine (Intel® ME). The Intel® ME performs various tasks while the system is in sleep, during the boot process, and when your system is running."

Intel Management Engine/AMT: introduced into x86 computers since 2008 as a way for "Enterprise admins to manage servers/computers remotely".

Even when your machine is turned off (as long as motherboard has power source), Intel Management Engine runs in the background (ever notice battery drain?), doing whatever it was programmed to do (outside its already known functions).



🔓 SECURITY/PRIVACY RISKS?

A computer inside a computer (one you didn't ask for).

ME has access to hardware (keyboard, ram included), is below any OS detection ability, network stack, offers remote access management of the PC, and wasn't invited in.

ITS PWN OPERATING SYSTEM

Intel Management Engine runs a small operating system, UNIX inspired: Minix3. The creator of Minix3, Andrew S. Tanenbaum, wasn't too happy hearing on this use case for his creation.

Excerpt from Andrew Tanenbaum:


"For the record, I would like to state that when Intel contacted me, they didn’t say what they were working on. Companies rarely talk about future products without NDAs. I figured it was a new Ethernet chip or graphics chip or something like that. If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated...."


OOB (Out Of Band)

AMT (Active Management Technology) uses OOB (out of band) network.

Operating at -3 ring, it is below your operating system (above your system privileges, and outside scope of software's ability to detect packets locally - won't detect AMT packets when running wireshark locally on your Intel machine).

зображення

OOB network gives it the ability to manage outside the standard network.

According to other sources, a certain government agency requested a way to disable it.

In comes the HAP bit.


SOLUTION OPTIONS

Positive Technologies Researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy discovered a solution to by setting HAP bit to 1.

Enter The High Assurance Platform (HAP)

One of those options to implement the undocumented HAP bit has been me_cleaner. A python script, combined with a single board computer or SPI flasher, Coreboot/Libreboot, providing a more open solution for those (with compatible systems) who wish to reduce IME. You can read more about the process at Coreboot/Libreboot.

This is the standard in recommendations.

Take a look at Coreboot project Here to learn what models are able to make the most of this solution.

Take a look at the Libreboot project Here to learn if you are eligible to the most open firmware available, and how to install/flash it.



COMPANIES KNOWN TO OFFER 'NEUTERING' MGMT ENGINE

Known / trusted options to those who want to save time, or aren't technically savy (but may still wish to own a computer without IME/AMT enabled). Personally offering this service with limited available.

x86-64 INTEL


⭐ 🐧 COREBOOT 💻 LAPTOPS (HERE)


*** Support Independent RTP Work Here + Get Core boot laptop (IntelME Neutered / Disable) available (US, at present) (Contact / explore "commissions")
Perfect for GNU/Linux, Tails, Whonix, Qubes (limited availability - refurbish / CPU thermal repasting)


OTHER OPTIONS (or grab here to support this):

Raptor Computing Systems - High quality open source hardware with PowerPC processors. Read about the Talos II Here.

System76 - offering open firmware on all laptops according to This Blog Post.

Minifree - founder of Libreboot now offers libreboot / coreboot laptops (to support dev)

Star Labs - Read about models without IME.

Purism - Learn more Here.

DELL- Select business models offer ability to buy inoperable (see screenshot below)

зображення



ARM BASED SOLUTIONS

Moving to an (open as possible) Arm based system is yet another possible option to avoid Intel MGMT Engine/AMT (as some of my videos cover use of).

Pine64 - I own a Pinephone, Pinetab, and A64 LTS (Single Board Computer). Geek toys! Should mention not something an average user (ie: Windows) user may be comfortable with (yet).

Using Arm has been one active choice/changes I've made (in my own computing) to distance from Intel Management Engine / AMT existence.

Purism - I haven't used Purism's products yet, but they do make Arm devices as well as their above mentioned x86 IME disabled listed above.

Many computer makers are making moves towards Arm (including Apple - I am not making a recommendation especially after the filescanning plans, application sharing over network, but M1 chip progress is worth mention)

(ex: Linux loving Tinkerers who don't mind learning their way around Linux may like the Pinebook Pro as a possible option; Still, I don't recommend the average Windows user buying one. Expected Linux experience to fully appreciate at this time.)

(There are likely other good options and am open to suggestions in the comments)


MODERN HARDWARE SOLUTION

Changing Motherboards: https://hackaday.com/2020/06/16/disable-intels-backdoor-on-modern-hardware/


MITIGATION (*POSSIBILITIES - UNTESTED)

MEBx

NOTE: Setting "disable" inside BIOS does not necessarily disable IME. Reports suggest "Disable" from inside BIOS resets settings and default password back to 'admin.' This is not what you want.

You can try is disabling it inside the MEBx configuration by first enabling IME/AMT in BIOS, then pressing CTRL-P at boot to enter the MEBx setup. Find the disable option inside MEBx.

зображення

Performing the above is certainly better than nothing, though I have seen reports to suggest otherwise (will add link here if able to find this post on Intel's forum).

FIREWALL

Block (default) AMT related ports from your hardware based firewall (not the local machine). Ports: 5900, 16992-16995, 623 and 664.

CLEARING UP MISCONCEPTION: No you can't firewall off (or even detect) IntelME/AMT packets locally, on the same/local machine. These packets are not undetectable to any software running on said operating system (there is a demo on YT).

TIP: Where possible, attempt to block (potential) hardware based backdoors at router level...


We cover firewalling in the future, and I will be continuing to work on RTPBOX (short for: 'RightToPrivacyBOX'), and sharing scripts within, as able.


NOTE: There are many unknowns about Intel AMT. This writeup is based on what we do know.

(I may share more ideas related to this subject in coming posts)


Thoughts, comments and questions welcome.

😀 Thank you for Sharing this (Telegram/Social media + everywhere).

Don't forget to follow at the links below.

----------------------------------------------------------------------
🧅🔐 ANONYMOUS GITEA (.onion): Books, Code/Scripts, Wiki, more (make a repository)
🧅🔐 PASTEBIN (.onion): options- password protect, zk-256bit, "Burn After Reading" + more
----------------------------------------------------------------------
🤗 SUPPORT OPTIONS (If you like to)

XMR:48qtspi5En44mJZLeiMoHYFEmuJfQYb5DLQxLDr7d1NXc53XaAvoT8PS3wBrhEc3VY1wxu5Rgw6oKBYgahpSAYnpHntbQNM
💲CASHAPP: $HumanRightsTech
✍🗒🎞 Politictech BMC Membership (monthly supporter option + member messages)
🎁 EXTRAS: Unique extra Services (get something back for your support)
💳 Politictech Main Page: (info + current Crypto)
----------------------------------------------------------------------
FOLLOW:
✍🗒MASTODON
🐦 TWITTER
🎞 PEERTUBE
🎞 BITCHUTE
🎞 ODYSEE
---------------------------------------------------------------------
CONTACT
-------------------------------------------------------------------------
THANK YOU for Sharing this, Liking, and Subscribing.
-------------------------------------------------------------------------
If you aren't registered for Odysee I'd love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
--------------------------------------------------------------------------

Подобається цей допис?

Купити для 🥷 (RTP) Privacy Tech Tips 📡 кава

Більше від 🥷 (RTP) Privacy Tech Tips 📡