While the world has been rushing to deal with the Wannacry ransomware attack, a recent vulnerability in Intel's AMT software, (CVE-2017-5869) has been making equally significant waves, although it is somewhat less widely reported. We're here to explain what AMT is, why it makes you vulnerable to hackers, and how you can mitigate this risk.
AMT Overview
AMT stands for Active Management Technology. It's part of a tool called the Management Engine, which is present on most of the Intel motherboards manufactured during the past decade. It works like this. Intel puts a second, less powerful processor on the motherboard of a computer that system administrators (the people who run an organization's network, aka the IT department) can use to control the computer remotely without interfering with daily operations. From the perspective of the person using the computer, the Management Engine operates invisibly and autonomously. This is considered useful in busy office settings where many computers need to be maintained regularly, but has faced criticism from concerned members of the tech community.
Specifically, privacy and security advocates contend that AMT is too powerful and too autonomous, and that the convenience of remote management isn't worth the risk of someone using it for malicious purposes. Even worse, it's enabled by default, difficult to turn off, and nearly impossible to fully remove. Since the source code is secret, there's no way to publicly audit this near ubiqutious piece of technology for security risks. Although Intel has always maintained that its security practices were good enough to neutralize this risk, we learned earlier this month that this clam is false. In fact, any computer with the Intel Management Engine is vulnerable to a very simple exploit.
How AMT Can Be Hacked
Since AMT has its own direct access to your hardware, it can circumvent local firewalls and can even operate while the machine is turned off, so long as the computer has power and is plugged into the internet. Very handy for reinstalling Windows on a company-owned computer that isn't physically present, but creepy when it’s your personal computer and that power is in the hands of a stranger. The vulnerability, known as "Silent Bob is Silent," allows literally anyone to log into the AMT controls with a script that generates a blank password header. This is a little more complicated than just entering a blank password into the prompt box, but trivial for even the most amateur hacker. And once logged in, can do pretty much anything, from deleting or transferring data to installing software. They can even watching your screen, control your mouse, or use your microphone and webcam.
Partially Delete Management Engine
If you have an Intel processor, you might with a quick search with something like "[Your computer model] vulnerable to amt exploit" and see what comes up. You can get a more in-depth answer by running this tool from Intel, which will tell you if you're vulnerable. It works on Windows 7, 8.1, and 10. (If you’re running GNU/Linux, there’s a comparable tool that can do the same thing. If you're not vulnerable, hurray for you. If you are, there are some things you can do, but none of them are perfect.
Disable Access to AMT's Ports
You can't block access to AMT through your computer's firewall, but you can also disable forwarding to ports 16992, 16993, 16994, 16995, 623, and 664 on your local network (your router, if you're at home). These are the only ports through which AMT can be accessed. If you don't know what this means, contact your IT provider.
Disable AMT
While manufacturers will eventually release updates to fix this bug, most haven't done that yet. In the mean time, Intel recommends disabling Active Management Technology. If you're a power user, Intel offers an in-depth mitigation guide you can use. If you’re not feeling up to that, bartblaze's Disable Intel AMT tool automates that process.
Partially Delete Management Engine
If you’re really fed-up with this AMT nonsense and you just want to get rid of it 100%, your options are limited. The best we can do right now is delete most of it from the bios using a Raspberry Pi computer and a clip that connects to your motherboard. We copy the BIOS to our computer, run a program called ME Cleaner on it to delete most of the Management Engine software from the bios, and then copy the modified BIOS back onto the motherboard. We have to leave just enough of the Management Engine present because Intel chips will shut down every 30 minutes if it isn’t detected, but it is generally believed that a mostly-deleted Management Engine renders AMT unusable. You can read more about this here.
Concerned?
If you want to know more about how this works or need some help mitigating this vulnerability on your network, let us know in the comments below or in the form to the right. You can also contact us here! Thanks for reading, and stay safe.
Photo Attribution: This work is a derivative of Remindr! byChris Radcliff. It is licensed under the Creative Commons Sharealike 2.0 License