2 Replies Latest reply on Mar 3, 2018 1:22 AM by Anti_Fukushima_@bye.Intel.ME

    Circumventing Intel ME / AMT "hacker software"


      Intel's ME toolkit founder Ylian Saint-Hilaire describes AMT as "Hacker Software" in this video here (same as above).  Recently his statements have been demonstratively proven. 1a. What are the various methods Intel offers their users to disable this "hacker software" built into our computers, IE. How can we disable Intel ME? 1b. How effectively will an aftermarket NIC protect Intel users against this Intel ME "hacker software." 2. Can Intel ME bridge or interface with after market network cards over Serial, USB, PCI or PCI express bus, or through a live O/S? 3. How effectively will using an aftermarket NIC protect its users against a compromised ME chip? I have an older system, its firmware has not been supported by the OEM manufacturer since 2009. It hosts an ICH10R chipset. I have considered using methods like ME_Cleaner to permanently remove the bulk of ME from my system.
      However this requires hardware flashing with external after market components and comes with the risk of bricking the system. If Intel or the community working around the clock to mitigate this serious threat do not come out with a simple patch to effectively disable Intel ME, like the HAP bit (High Assurance Program) given to the NSA when Intel ME was first created, this leaves its users no choice but to hard flash their chip. Given the inherent dangers this could easily far outweigh the cost. As of the time of this post Intel users are forced to buy an entirely new system or wait for Intel to release a patch. A patch to maintain "hacker software" practically no Intel users actually want, use or need.  Its all fine and great for those who actually do, but I'll leave it to you to guess the percentage that actually use it. Patching "hacker software" to make it "safer". Wow that doesn't sound like it'll end very well. It is a cat and mouse game that will go on and on ad-infinitum until the bulk of Intel ME is disabled altogether. If there is nothing to fix, why break it. Seeing as this affects billions of devices around the globe including ATM's, industrial applications, banks, corporations, literally everything... it is clearly becoming the single greatest computer security threat in existence. I highly doubt for example, nuclear plant operators will be siting around waiting for Intel to release the next patch while their facilities are undergoing a full blown meltdown.


      In my efforts to mitigate this threat I have ordered an aftermarket Ethernet card which I bought for its OPT (one time flash memory) qualities. There is no on board flash ROM to hack. I don't want to bypass Intel ME with an after market NIC that could be reprogrammed to do something similar or to allow OOB pass through; Chips like RLT8111G implement ECMA-393, Intel's ProxZzzy [1]; This standard has ME like qualities. It allows the ethernet card to remain connected on a network and send and receive packets while the computer is powered off in "sleep" mode.  Intel ProxZzzy has an inbuilt packet sniffer that is triggered by specific bits to perform specific functions. ECMA disclosed that Intel's ProxZzzy standard is insecure by design, and ECMA's standard does not "address" the security holes. [1] Quote "This Standard does not specifically address Security concerns arising out of the proposed proxy protocol design." They admittedly do not disclose the security risks that are currently present. [1] They will disclose that Intel ProxZzzy can be hijacked and used to generate rogue packets and attack the host machine and the network. [1] Quote "It is possible that an adversary may assume control of the proxy and use the Proxy to launch attacks on the system, on the network, or on other Internet connected machines. " [1] According to their documentation "The 802.11 host and the Access Point (AP) are configured to use a common “Profile” – a set of connection parameters such as band, channel, security, etc. The profile is configured out of band and prior to the host going to sleep." The diagram in the above documentation exhibits out of band signals as bypassing all hardware, enabling direct kernel access. Sounds as bad as Intel ME.


      4. Does Intel's ProxZzzy OOB on aftermarket network cards allow interfacing with onboard Intel ME/AMT?


      I have only one suggestion. That is for Intel to offer the public a simple tool to disable the "hacker tool" built into our computers permanently, that leaves only components necessary to allow the computer to boot and run properly.


      Thank you so much for your time.


      Message was edited by: walle

        • 1. Re: Circumventing Intel ME / AMT "hacker software"

          Hi Anti-Fukishima,


          We are working on getting answers for your questions.


          One clarification would help us provide the right information.


          Most of your questions are asking about the Intel® Management Engine (Intel ME), but you also mention Intel® Active Management Technology (Intel AMT) a few times in your post.  Are you more interested in how a non-Intel NIC affects the management engine or Intel AMT?  The answers can be a bit different.  For example, using a non-Intel NIC will make Intel AMT features inaccessible but will not impact the Intel ME.





          • 2. Re: Circumventing Intel ME / AMT "hacker software"

            Hello Ken, thank you very much. Detail on both would be appreciated; Please clarify to the readers as well the differences between Intel ME and AMT and their remote accessibility features;


            According to this link, Vulnerability & Exploit Database | by Rapid7, the developers of Metasploit, AMT is vulnerable to exploitation remotely.


            Metasploit, Nessus and other software maintain a database of every vulnerability made public for Windows systems, Hardware Routers, Intel Management, hand held devices (IOS/Android), Linux distros etc. For those who don't know how applications like Metasploit and Nessus can be used to attack Intel chipsets, see this:


            According to libreboot, Intel ME is exploitable as well:



            the Intel Management Engine is a severe threat to privacy and security, not to mention freedom, since it is a remote backdoor that provides Intel remote access to a computer where it is present. "The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can’t be ignored."

            Source: https://libreboot.org/faq.html#intelme


            It is important the readers understand how both Intel ME and Intel AMT are impacted by the presence of aftermarket network cards, and if AMT or Intel ME could be bridged to use an aftermarket network card once installed. Are you suggesting Intel ME is unaffected and exploitable over a network regardless of the presence and usage of an aftermarket network card? And you make a distinction between Intel network cards and non Intel network cards, do some aftermarket Intel network cards allow AMT interaction. Also please cover the 4 questions listed above. IE, how to disable the bulk of Intel ME, and its exploitable modules. About ProxZzzy and whether it allows for OOB interaction with Intel ME...etc. Thank you!