
Disabling Intel AMT on Windows - gaia
https://mattermedia.com/blog/disabling-the-intel-management-engine/
======
huhtenberg
This is taken verbatim from Intel's "SA-00075 Mitigation Guide" [1]

As others have said, it doesn't disable the ME. It merely removes OS-side
support for it and resets configuration to non-exploitable state.

The ME itself remains up and running.

[1] [https://downloadmirror.intel.com/26754/eng/INTEL-
SA-00075%20...](https://downloadmirror.intel.com/26754/eng/INTEL-
SA-00075%20Mitigation%20Guide-Rev%201.1.pdf)

* To clarify - the original title of this post was something like "Completely Disable Intel Management Engine (finally!)".

~~~
weinzierl
> It merely removes OS-side support for it and resets configuration to non-
> exploitable state.

How do we know that the vulnerability is in the OS-side? Has this been
established yet?

~~~
lima
It also un-provisions AMT, which supposedly prevent remote exploitation.

~~~
weinzierl
Ah, I understand. The Mitigation guide says: "Intel highly recommends that the
first in all mitigation paths is to unprovision the Intel manageability SKU to
address the network privilege escalation vulnerability".

Unprovisioning AMT seems to be the essential part and I am curious if the
other steps serve any real purpose.

The Mitigation Guide goes on to say: "Systems that are vulnerable [...] should
be unprovisioned using the tools used to initially configure them [...] As an
example, the Intel AMT Configuration Utility [...]"

So ACUConfig is just an example and specifically not the Intel recommended
way. OP doesn't say that.

~~~
gaia
ACUConfig _is_ the Intel recommended way, per the mitigation guide (at least
for now, until a patch is released).

~~~
weinzierl
Quote from the Mitigation Guide:

"Systems that are vulnerable [...] should be unprovisioned using the tools
used to initially configure them [...]"

------
throw2016
This is the kind of brazen backdoor which makes all other security moot. How
can anyone depend on security if the cpu is backdoored and anyone can remote
your machine irrespective of OS and even whether it is running?

Given the sheer brazenness and scope I wonder why the security folks have been
so muted, what can be more important this this?

What ever the benefits of this backdoor for enterprises or any single group
imposing it on all users makes it look like a fig leaf. The fact that it is
done in consort with AMD and ARM can only lead to the conclusion it is some
kind of a mandated NSA backdoor.

There is a huge unresolved dichotomy now of 'democracies' with governments
completely and singularly obsessed with their citizens' speech. Having
hundreds of thousands of government employees working on monitoring citizens
and doing things like backdooring CPUs is the furthest you can get from free
societies. Infact it's the opposite.

------
lima
This only disables the Windows driver.

The actual ME co-processor is still running.

~~~
gaia
You are correct, I've updated the HN link title and post's title.

~~~
nerdy
It's still rather misleading, " _Completely_ Disable..."

~~~
eriknstr
I thought so too at first but I guess whereas the title now says "Completely
Disable Intel AMT on Windows", it probably used to say something along the
lines of "Completely Disable Intel ME on Windows".

Edit: The title has been changed again and now reads "Disabling Intel AMT on
Windows". That's better and less confusing.

------
beagle3
I'd be surprised if this actually disables all aspects of ME and AMT. Those
things listen when the computer is off, and cause a CPU shutdown when
deactivated unless you are work hard to subdue them (recent CCC had a
presentation on what's needed).

~~~
gaia
You can run netstat and see it is no longer listening. Now, how you would
verify this when the computer is off is beyond me (assuming it is the case - I
have not yet been able to go thru the PDF below)

~~~
derefr
The thing that was _listening_ is just AMT. The ME consists of a much wider
suite of behaviors.

For example: there's an embedded-profile JVM for running Java Card smart-card
software, allowing enterprises to deploy crypto auth firmware written for
smart-cards directly to the device. This avoids the need to flash, deploy, and
manage hardware smart cards, while also preventing the OS from being able to
introspect said software's operation. (This particular feature almost sounds
like a _good_ thing, doesn't it? It's a programmable TPM!)

~~~
lima
In fact, AMT isn't listening in the operating system either but directly on
the ME.

What OP removed is probably some sort of OS-level agent that collects
information about the system (installed software, patches, ...).

------
Hydraulix989
The closest thing I found that could work for Linux is flashing the BIOS
manually: [https://hackaday.com/2016/11/28/neutralizing-intels-
manageme...](https://hackaday.com/2016/11/28/neutralizing-intels-management-
engine/)

In the case of my Thinkpad, I had to open it up and flash the chip using the
Raspberry Pi hardware over SPI bus.

Then I found out that removing the Intel Management Engine breaks Hackintosh
so I ended up having to put it back.

Another alternative is flashing Coreboot/Libreboot, but this also breaks
Hackintosh.

~~~
orblivion
I have a Lenovo T440s. My BIOS has an "activate/deactivate/permanently
deactivate" setting for AMT. I set it to "deactivate" for now.

Any idea what this buys me?

Their last BIOS update was March 14. I'm hoping their next one has the new
firmware.

~~~
gaia
Deactivation merely resets the AMT settings. You can only turn it off by
following these instructions.

~~~
orblivion
So that means it's still exploitable over the network? (I thought it would cut
it down to local-only). Lenovo is lying to me when it says "disable AMT"?

Then again, maybe it's not actually enabled, since I didn't use the software
to do so.

~~~
gaia
That is a good question. Lenovo's advisory
([https://pcsupport.lenovo.com/us/en/product_security/ps500104](https://pcsupport.lenovo.com/us/en/product_security/ps500104))
does not explicitly states which AMT status make it vulnerable, but given that
Intel ME runs no matter what, I'd go for the disable guide.

~~~
orblivion
I did not know about the advisory. Thank you!

------
ajdlinux
This is copied from the Windows-only SA00075 Mitigation Guide from Intel.

Intel advised me that a Linux version of the Mitigation Guide is coming -
[https://twitter.com/IntelSupport/status/859437569368567811](https://twitter.com/IntelSupport/status/859437569368567811)

------
hackuser
Some riskier but possibly more effective solutions for disabling or at least
limiting ME (AMT is one application that runs on ME):

[https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner)

[https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...](https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html)

To be 100% clear, I haven't tried either.

~~~
gaia
See
[https://news.ycombinator.com/item?id=14253704](https://news.ycombinator.com/item?id=14253704)

------
hd4
Has AMD done anything similar to this? I'm thinking of what hardware to buy in
future, probably going to skip Intel-based going forwards.

~~~
SXX
All AMD CPUs after FX have PSP which is efficiently the same thing as Intel ME
and it's also can't be removed / disabled at all since it's participate in CPU
boot sequence.

~~~
hd4
Oh great. Do we have any viable choice left in avoiding these 'helpful'
blackbox modules? Viable meaning something that could run a medium-load
server?

~~~
SXX
There is chance that POWER8 and future POWER9 based hardware might work, but
it's very expensive. There was already an attempt to create backdoor-free
hardware, but for now it's failed:

[https://www.raptorengineering.com/TALOS/](https://www.raptorengineering.com/TALOS/)

~~~
hd4
Dark times when even good old AMD is doing anti-consumer crap. I don't even
get how this is helping their cause against Intel. They could have simply not
done the stupid things Intel is doing and carved a niche. But this is just
showing they want to be another Intel, not a better Intel.

~~~
striking
AMD has recently stated they'd like to do something about this during an AMA
on reddit:
[https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_crea...](https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_creators_of_athlon_radeon_and_other/dekwva9/?context=3)

This probably won't happen for a while, though...

~~~
SXX
Fact that anyone official commented on matter is big deal, but it's still
worth nothing and change nothing. AMD for instance has proprietary firmware on
GPU too and their highly technical Linux staff (John Bridgman and others)
confirmed many times they simply can't open it even if they wanted to due to
all DRM-related certification, agreements with IP partners, etc.

And it's much worse in case of PSP because first of all it's ARM IP and they
wouldn't be able to change anything without agreement with them. Also after a
little of Google-fu I find interesting document:

[http://fileshare.arseniyshestakov.com/mirror/AMD_PSP_Briefin...](http://fileshare.arseniyshestakov.com/mirror/AMD_PSP_Briefing_to_Indian_Army.pptx)

That's mirror, but you can easily find source. So AMD actually pitch it not
just to governments, but also defence institutions and this is just much much
worse than story with DRM.

------
wfunction
Dumb question: is any of this relevant for someone who only uses Wi-Fi and not
ethernet?

~~~
Qantourisc
Assume it's relative, until you can proof your BIOS is unable to communicate
with the Wi-Fi adapter. If you are thinking "but it can't connect to a
network", your OS will do that for you, at which time it can start
communicating.

~~~
wfunction
Isn't the entire point of AMT to allow out-of-band system management? If it
relies on the OS to connect to Wi-Fi that would seem to kind of defeat the
purpose. Is there any evidence AMT works on Wi-Fi for anybody? I tried pinging
my laptop from another machine on the ports listed here and I didn't get any
response over Wi-Fi, so I'm not sure how to interpret that.

~~~
dboreham
Generally these things don't work over WiFi because the special back-channel
between the NIC and the management CPU isn't there for WiFi NICs. But as
others have said, it is in theory possible if someone were to build the
required communication path into their NICs.

------
justinclift
Seems Windows specific?

It'd be nice to have something that actually disables these additional Intel
"management" chipsets, across all platforms.

~~~
hd4
Is that because the exploit only affects Windows? I somehow doubt that but
just wanted to be sure.

~~~
gaia
Yes, the exploit is only for Intel ME on Windows, AFAIK.

~~~
throwaway2048
This is not accurate

------
Raphmedia
Out of the loop: Why would someone want to disable Intel AMT? I gather that
there was an exploit?

~~~
gaia
start here [http://www.fsf.org/blogs/licensing/intel-me-and-why-we-
shoul...](http://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-
rid-of-me)

