Intel AMT - block its access to network hardware forever?

Jump to latest Follow Reply
W

whobeme

Ars Tribunus Militum
2,327
  • #1
    I recently bought a used Lenovo T470 for personal use which has Intel MBE / Intel AMT capabilities. Is AMT on, is it off, who knows? Is somebody trolling through my computer in a manner which I cannot detect? Again, who knows? Apparently Intel AMT can be disabled by entering "control P" during the boot splash screen (assuming W10 has been configured to allow a person to see that screen), then entering the default password ("admin"), creating a new password, and then "disabling" it in one of the menus. Does that really disable AMT? No way to tell really. There are OS level tools which claim to report the status, but I don't trust them. I also don't trust that some future BIOS update won't turn it all back on again. (The BIOS was set to defaults at one point, unclear if these Intel tools deign to respect that.) The main BIOS has a switch to disable AMT, but apparently all it does is disable access via control P, not actually disable AMT itself. (At least that is what I have read elsewhere. Obviously I have no way of knowing if that is actually the case.)

    Is it maybe possible to configure Windows 10 or Linux to block access between AMT and the computer's NICs? I'm thinking probably not, since these Intel " features" operate in some world which is outside the normal OS.

    Any chance Lenovo has a BIOS variant with this ticking time bomb of a feature removed?
     
    theevilsharpie

    theevilsharpie

    Ars Scholae Palatinae
    1,199
    Subscriptor++
  • #2
    Intel AMT needs to be configured to be useful. Even if something somehow activates it, it's not going to go anywhere unless it's networking is configured.

    I don't know of any way to disable AMT that you would be satisfied with if you don't trust the "It's off" BIOS toggle. However, you can further render it inaccessible by using a discrete NIC, since the Intel ME OS won't have drivers for anything other than its own integrated devices.
     
    W

    whobeme

    Ars Tribunus Militum
    2,327
  • #3
    theevilsharpie said:
    I don't know of any way to disable AMT that you would be satisfied with if you don't trust the "It's off" BIOS toggle. However, you can further render it inaccessible by using a discrete NIC, since the Intel ME OS won't have drivers for anything other than its own integrated devices.
    Click to expand...
    This is a laptop. Sure, I could not plug in an ethernet cable and use a USB wifi dongle. However, AMT runs at some level above the OS, so even if the BIOS disabled the Wifi, is there any reason AMT could not reenable it? There is no mechanical "off" switch for wifi on this laptop. It wouldn't need to even have wifi on all the time, just when it wants to phone home, or open a port for something remote to connect to it.

    Is there any Intel documentation which states that if the AMT is disabled in the BIOS, then the AMT will not run, and cannot be started by an OS?

    Note, I only started to look into this because the laptop would beep at odd times, but there were no notices in the taskbar and no pop up windows of any sort. Eventually I found that the beeps corresponded to two types of events: thunderbolt software starting and stopping (spontaneously, there is nothing plugged into that port) and the Intel Management and Security application doing the same. These were both in the hidden icons area of the taskbar, and I happened to be looking there and spotted this activity. The Intel application "general" tab said AMT was enabled and both "enable user notification" and "Intel Management and Security Status will be available next time I log onto Windows" were checked. They have since been unchecked. Note the "I" in the second option, so it is per user, not a general OS setting. The "Intel AMT" tab shows everything disconnected, but that is not the same as "not connectable". The "Advanced tab" says the management engine is not configured, which implies that it won't do anything, but may mean that it is in a default state which would allow some outside entity into AMT through a security hole in AMT.
     
    W

    whobeme

    Ars Tribunus Militum
    2,327
  • #4
    I disabled AMT in the BIOS and now the Intel Management and Security Application doesn't say disabled, it says "information unavailable". Also, the Intel AMT tab disappeared. There was also a BIOS option to "permanently disable" AMT, but I did not want to use that since apparently the only way to invert it is to replace the motherboard, and it is possible that I might sell this laptop at some point and the new owner might want to use AMT.

    Note that on the boot after AMT was disabled there was an odd message about "unconfiguring (something)" (I did not write it down), and the system seemed to reboot itself to the splash screen several times before finally progressing to windows.

    I wouldn't bet money that if an intruder achieved remote access to this Windows 10 machine that they could not reenable AMT, and possibly configure it, from within that OS.
     
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply