Disabling Intel AMT on Windows (opens in new tab)

(mattermedia.com)

117 pointsgaia9y ago70 comments

70 comments

41 comments · 11 top-level

beagle39y ago· 9 in thread

I'd be surprised if this actually disables all aspects of ME and AMT. Those things listen when the computer is off, and cause a CPU shutdown when deactivated unless you are work hard to subdue them (recent CCC had a presentation on what's needed).

derefr9y ago

I don't know; presumably organizations like the US military need some way of "hardening" Intel's chips after they receive them. This SCS tool could be how such organizations accomplish that.

semi-extrinsic9y ago

Seeing as we know Amazon can get Intel to make custom Xeon chips specifically adapted for EC2 usage, I'm 100% certain Intel also makes custom chips for military/etc applications that have whatever functionality the customer does (doesn't) want enabled (disabled).

sambull9y ago

Yea they say cut the AMT fuse.

LinuxFreedom9y ago

Please add some substance to your post. Thank you!

zer0tonin9y ago

https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

gaiaOP9y ago

You can run netstat and see it is no longer listening. Now, how you would verify this when the computer is off is beyond me (assuming it is the case - I have not yet been able to go thru the PDF below)

lima9y ago

You misunderstood what ME is - it's not only a piece of software running in your operating system, but also an entirely separate processor that runs its own firmware.

It has its own network stack and entirely bypasses the operating system - you cannot see it listening using netstat, you wouldn't even see the actual communication using Wireshark. It works even when the computer is off (which makes sense for an out-of-band management solution).

derefr9y ago

The thing that was listening is just AMT. The ME consists of a much wider suite of behaviors.

For example: there's an embedded-profile JVM for running Java Card smart-card software, allowing enterprises to deploy crypto auth firmware written for smart-cards directly to the device. This avoids the need to flash, deploy, and manage hardware smart cards, while also preventing the OS from being able to introspect said software's operation. (This particular feature almost sounds like a good thing, doesn't it? It's a programmable TPM!)

3 more replies

algesten9y ago

You can use something like nmap to scan open ports from another machine. Nmap can both do host discovery (find IP addresses) as well as port scans.

https://nmap.org

lima9y ago· 6 in thread

This only disables the Windows driver.

The actual ME co-processor is still running.

gaiaOP9y ago

You are correct, I've updated the HN link title and post's title.

nerdy9y ago

It's still rather misleading, "Completely Disable..."

2 more replies

criddell9y ago

Why do you think Intel doesn't let users turn it off?

api9y ago

Because it's a hardware backdoor in the CPU?

1 more reply

gaiaOP9y ago

And how would you test for that?

lima9y ago

Unless you modified your BIOS with a SPI flasher after disassembling your device, you know it's still running :-)

It would disappear from the PCI bus.

Your commands un-provision AMT (Active Management Technology), the ME feature that apparently has a security issue. Unless you've explicitly enabled AMT, it's not provisioned anyway so this doesn't do anything.

1 more reply

huhtenberg9y ago· 3 in thread

This is taken verbatim from Intel's "SA-00075 Mitigation Guide" [1]

As others have said, it doesn't disable the ME. It merely removes OS-side support for it and resets configuration to non-exploitable state.

The ME itself remains up and running.

[1] https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20...

* To clarify - the original title of this post was something like "Completely Disable Intel Management Engine (finally!)".

gaiaOP9y ago

These step by step instructions were built based on the mitigation guide, which is linked in the advisory. I've updated the HN link title and post's title (see https://news.ycombinator.com/item?id=14253732)

weinzierl9y ago

> It merely removes OS-side support for it and resets configuration to non-exploitable state.

How do we know that the vulnerability is in the OS-side? Has this been established yet?

lima9y ago

It also un-provisions AMT, which supposedly prevent remote exploitation.

2 more replies

Hydraulix9899y ago· 3 in thread

The closest thing I found that could work for Linux is flashing the BIOS manually: https://hackaday.com/2016/11/28/neutralizing-intels-manageme...

In the case of my Thinkpad, I had to open it up and flash the chip using the Raspberry Pi hardware over SPI bus.

Then I found out that removing the Intel Management Engine breaks Hackintosh so I ended up having to put it back.

Another alternative is flashing Coreboot/Libreboot, but this also breaks Hackintosh.

lima9y ago

You'll be happy to hear that this no longer works with newer devices thanks to Intel Boot Guard, which prevents firmware modifications altogether.

orblivion9y ago

I have a Lenovo T440s. My BIOS has an "activate/deactivate/permanently deactivate" setting for AMT. I set it to "deactivate" for now.

Any idea what this buys me?

Their last BIOS update was March 14. I'm hoping their next one has the new firmware.

gaiaOP9y ago

Deactivation merely resets the AMT settings. You can only turn it off by following these instructions.

1 more reply

justinclift9y ago· 3 in thread

Seems Windows specific?

It'd be nice to have something that actually disables these additional Intel "management" chipsets, across all platforms.

gaiaOP9y ago

Yes, windows only for now. The Linux guide is upcoming: https://twitter.com/IntelSupport/status/859437569368567811

hd49y ago

Is that because the exploit only affects Windows? I somehow doubt that but just wanted to be sure.

gaiaOP9y ago

Yes, the exploit is only for Intel ME on Windows, AFAIK.

1 more reply

hd49y ago· 2 in thread

Has AMD done anything similar to this? I'm thinking of what hardware to buy in future, probably going to skip Intel-based going forwards.

SXX9y ago

All AMD CPUs after FX have PSP which is efficiently the same thing as Intel ME and it's also can't be removed / disabled at all since it's participate in CPU boot sequence.

hd49y ago

Oh great. Do we have any viable choice left in avoiding these 'helpful' blackbox modules? Viable meaning something that could run a medium-load server?

3 more replies

wfunction9y ago· 2 in thread

Dumb question: is any of this relevant for someone who only uses Wi-Fi and not ethernet?

Qantourisc9y ago

Assume it's relative, until you can proof your BIOS is unable to communicate with the Wi-Fi adapter. If you are thinking "but it can't connect to a network", your OS will do that for you, at which time it can start communicating.

wfunction9y ago

Isn't the entire point of AMT to allow out-of-band system management? If it relies on the OS to connect to Wi-Fi that would seem to kind of defeat the purpose. Is there any evidence AMT works on Wi-Fi for anybody? I tried pinging my laptop from another machine on the ports listed here and I didn't get any response over Wi-Fi, so I'm not sure how to interpret that.

1 more reply

hackuser9y ago· 1 in thread

Some riskier but possibly more effective solutions for disabling or at least limiting ME (AMT is one application that runs on ME):

https://github.com/corna/me_cleaner

https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...

To be 100% clear, I haven't tried either.

gaiaOP9y ago

See https://news.ycombinator.com/item?id=14253704

Raphmedia9y ago· 1 in thread

Out of the loop: Why would someone want to disable Intel AMT? I gather that there was an exploit?

gaiaOP9y ago

start here http://www.fsf.org/blogs/licensing/intel-me-and-why-we-shoul...

throw20169y ago

This is the kind of brazen backdoor which makes all other security moot. How can anyone depend on security if the cpu is backdoored and anyone can remote your machine irrespective of OS and even whether it is running?

Given the sheer brazenness and scope I wonder why the security folks have been so muted, what can be more important this this?

What ever the benefits of this backdoor for enterprises or any single group imposing it on all users makes it look like a fig leaf. The fact that it is done in consort with AMD and ARM can only lead to the conclusion it is some kind of a mandated NSA backdoor.

There is a huge unresolved dichotomy now of 'democracies' with governments completely and singularly obsessed with their citizens' speech. Having hundreds of thousands of government employees working on monitoring citizens and doing things like backdooring CPUs is the furthest you can get from free societies. Infact it's the opposite.

ajdlinux9y ago

This is copied from the Windows-only SA00075 Mitigation Guide from Intel.

Intel advised me that a Linux version of the Mitigation Guide is coming - https://twitter.com/IntelSupport/status/859437569368567811

j / k navigate · click thread line to collapse

70 comments

41 comments · 11 top-level

beagle39y ago· 9 in thread

derefr9y ago

I don't know; presumably organizations like the US military need some way of "hardening" Intel's chips after they receive them. This SCS tool could be how such organizations accomplish that.

semi-extrinsic9y ago

sambull9y ago

Yea they say cut the AMT fuse.

LinuxFreedom9y ago

Please add some substance to your post. Thank you!

zer0tonin9y ago

https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

gaiaOP9y ago

lima9y ago

You misunderstood what ME is - it's not only a piece of software running in your operating system, but also an entirely separate processor that runs its own firmware.

derefr9y ago

The thing that was listening is just AMT. The ME consists of a much wider suite of behaviors.

3 more replies

algesten9y ago

You can use something like nmap to scan open ports from another machine. Nmap can both do host discovery (find IP addresses) as well as port scans.

https://nmap.org

lima9y ago· 6 in thread

This only disables the Windows driver.

The actual ME co-processor is still running.

gaiaOP9y ago

You are correct, I've updated the HN link title and post's title.

nerdy9y ago

It's still rather misleading, "Completely Disable..."

2 more replies

criddell9y ago

Why do you think Intel doesn't let users turn it off?

api9y ago

Because it's a hardware backdoor in the CPU?

1 more reply

gaiaOP9y ago

And how would you test for that?

lima9y ago

Unless you modified your BIOS with a SPI flasher after disassembling your device, you know it's still running :-)

It would disappear from the PCI bus.

1 more reply

huhtenberg9y ago· 3 in thread

This is taken verbatim from Intel's "SA-00075 Mitigation Guide" [1]

As others have said, it doesn't disable the ME. It merely removes OS-side support for it and resets configuration to non-exploitable state.

The ME itself remains up and running.

[1] https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20...

* To clarify - the original title of this post was something like "Completely Disable Intel Management Engine (finally!)".

gaiaOP9y ago

weinzierl9y ago

> It merely removes OS-side support for it and resets configuration to non-exploitable state.

How do we know that the vulnerability is in the OS-side? Has this been established yet?

lima9y ago

It also un-provisions AMT, which supposedly prevent remote exploitation.

2 more replies

Hydraulix9899y ago· 3 in thread

The closest thing I found that could work for Linux is flashing the BIOS manually: https://hackaday.com/2016/11/28/neutralizing-intels-manageme...

In the case of my Thinkpad, I had to open it up and flash the chip using the Raspberry Pi hardware over SPI bus.

Then I found out that removing the Intel Management Engine breaks Hackintosh so I ended up having to put it back.

Another alternative is flashing Coreboot/Libreboot, but this also breaks Hackintosh.

lima9y ago

You'll be happy to hear that this no longer works with newer devices thanks to Intel Boot Guard, which prevents firmware modifications altogether.

orblivion9y ago

I have a Lenovo T440s. My BIOS has an "activate/deactivate/permanently deactivate" setting for AMT. I set it to "deactivate" for now.

Any idea what this buys me?

Their last BIOS update was March 14. I'm hoping their next one has the new firmware.

gaiaOP9y ago

Deactivation merely resets the AMT settings. You can only turn it off by following these instructions.

1 more reply

justinclift9y ago· 3 in thread

Seems Windows specific?

It'd be nice to have something that actually disables these additional Intel "management" chipsets, across all platforms.

gaiaOP9y ago

Yes, windows only for now. The Linux guide is upcoming: https://twitter.com/IntelSupport/status/859437569368567811

hd49y ago

Is that because the exploit only affects Windows? I somehow doubt that but just wanted to be sure.

gaiaOP9y ago

Yes, the exploit is only for Intel ME on Windows, AFAIK.

1 more reply

hd49y ago· 2 in thread

Has AMD done anything similar to this? I'm thinking of what hardware to buy in future, probably going to skip Intel-based going forwards.

SXX9y ago

All AMD CPUs after FX have PSP which is efficiently the same thing as Intel ME and it's also can't be removed / disabled at all since it's participate in CPU boot sequence.

hd49y ago

Oh great. Do we have any viable choice left in avoiding these 'helpful' blackbox modules? Viable meaning something that could run a medium-load server?

3 more replies

wfunction9y ago· 2 in thread

Dumb question: is any of this relevant for someone who only uses Wi-Fi and not ethernet?

Qantourisc9y ago

wfunction9y ago

1 more reply

hackuser9y ago· 1 in thread

Some riskier but possibly more effective solutions for disabling or at least limiting ME (AMT is one application that runs on ME):

https://github.com/corna/me_cleaner

https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...

To be 100% clear, I haven't tried either.

gaiaOP9y ago

See https://news.ycombinator.com/item?id=14253704

Raphmedia9y ago· 1 in thread

Out of the loop: Why would someone want to disable Intel AMT? I gather that there was an exploit?

gaiaOP9y ago

start here http://www.fsf.org/blogs/licensing/intel-me-and-why-we-shoul...

throw20169y ago

Given the sheer brazenness and scope I wonder why the security folks have been so muted, what can be more important this this?

ajdlinux9y ago

This is copied from the Windows-only SA00075 Mitigation Guide from Intel.

Intel advised me that a Linux version of the Mitigation Guide is coming - https://twitter.com/IntelSupport/status/859437569368567811

j / k navigate · click thread line to collapse