Intel Active Management Technology
The Intel Active Management Technology , abbreviated iAMT is one of Intel developed proprietary Lights-Out management system for administration and remote maintenance of computer systems based on Intel vPro . iAMT consists of its own hardware component that is independent of the rest of the computer system, the Intel Management Engine (Intel ME), which is permanently installed in all current Intel chipsets in the form of its own microcontroller such as the Intel Quark .
This autonomous microcontroller is powered by the permanent 5 V supply of the power pack and therefore always runs as soon as the computer system is plugged in but not yet switched on. The microcontroller has its own internal interfaces, equipped with an externally accessible Ethernet interface . Independent of the actual computer system, all system components can thus be accessed, even if the computer system is in a non-functional state or is switched off. Various software modules that are permanently programmed in the system are used as software within the scope of iAMT, which include a web server that allows access to iAMT via a web browser.
iAMT is used in practically all desktops , servers and tablets based on Intel vPro . These include the Intel Core i series i3, i5, i7 and the Intel Xeon processor families.
Due to the extensive control that iAMT grants over a computer equipped with it, adequate protection against unauthorized access is required. Not all functions of iAMT are fully disclosed; some of them can only be determined by reverse engineering .
Functions
The iAMT basic functions include being able to reset the computer, switching the power supply on or off and redirecting the keyboard, mouse and screen outputs via the network in the form of a built-in KVM switch . There are also possibilities to make changes in the BIOS of the computer system or to be able to reprogram the BIOS and to redirect the serial interfaces with boot messages via the network. Newer firmware versions of iAMT from version 6 also offer the possibility of gaining access to the graphic surface of the computer system via Virtual Network Computing (VNC) and of observing the network traffic according to certain patterns.
Vulnerabilities
As early as 2015, the Federal Office for Information Security warned of the risk of AMT remote maintenance technology and assessed the corresponding risk for users as high.
In November 2017 it became known that a number of gaps in the Intel Management Engine and in the Trusted Execution Engine authentication tool allow computers to be completely taken over. The vulnerability affects all management engines shipped since 2010.
Since 2013 there had been technical concerns, clues and speculations about possible back doors in the management engine.
Comparison of the AMT versions
| feature | AMT 1.0 (desktop) |
AMT 2.0 / 2.1 (desktop) |
AMT 2.5 / 2.6 (Mobile) |
AMT 3.0 (desktop) |
AMT 4.0 (Mobile) |
AMT 5.0 (desktop) |
6.0 (desktop & mobile) |
7.0 & 8.0 (desktop & mobile) |
9.0 (desktop & mobile) |
10.0
(Desktop & mobile) |
11.0
(Desktop & mobile) |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Hardware inventory | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Persistent ID | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Remote power on / off | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Serial over LAN (SOL) / IDE redirect | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Event management | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Third-party data storage | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Built-in web server | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Flash protection | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Firmware update | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| TCP / IP , SOAP XML / EOI | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No | No |
| HTTP Digest / TLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Static and dynamic IP | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| System Defense | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Agent Presence | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Power Policies | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Mutual Authentication | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Kerberos (protocol) | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| TLS-PSK | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Privacy Icon | No | 2.1 and higher | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| ME Wake-on-LAN | No | 2.1 and higher | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Remote configuration | No | 2.2 and higher | 2.6 and higher | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Wireless configuration | No | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes | Yes |
| Endpoint Access Control (EAC) 802.1 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Power packages | No | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes | Yes |
| Environment detection | No | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes | Yes |
| Event Log Reader Realm | No | No | 2.6 and higher | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| System Defense Heuristics | No | No | No | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| WS management interface | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| VLAN settings for Intel AMT network interfaces | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes |
| Fast Call For Help (Client Initiated Remote Access CIRA) | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Access Monitor | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| MS Network Access Protection (NAP) support | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Virtualization Support for Agent Presence | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes |
| PC alarm clock | No | No | No | No | No | 5.1 and higher | Yes | Yes | Yes | Yes | Yes |
| KVM switch remote control | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes |
| Wireless Profile Synchronization | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes |
| Support for IPv6 | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes |
| Host-based provisioning | No | No | No | No | No | No | 6.1 and higher | Yes | Yes | Yes | Yes |
| Host-based over the Internet provisioning | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Zero-touch over the Internet provisioning | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Graceful shutdown | No | No | No | No | No | No | No | No | Yes | Yes | Yes |
| Screen blanking | No | No | No | No | No | No | No | No | No | Yes | Yes |
| Graceful power operations | No | No | No | No | No | No | No | No | No | Yes | Yes |
| Secure erasure of storage nodes | No | No | No | No | No | No | No | No | No | No | Yes |
Individual evidence
- ↑ a b Positive Technologies Blog: Disabling Intel ME 11 via undocumented mode . Retrieved October 31, 2017.
- ↑ Archived copy . Archived from the original on November 1, 2014. Retrieved October 31, 2017.
- ↑ Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology (PDF) Intel. 2008. Archived from the original on December 6, 2008. Info: The archive link was automatically inserted and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved October 31, 2017.
- ↑ Intel Active Management Technology (AMT): A vulnerability enables the system to be taken over. Retrieved February 16, 2018 . , BSI of August 27, 2015.
- ↑ Serious error makes almost all computers with the latest Intel CPUs vulnerable , derstandard.at of November 21, 2017.
- ↑ Speculation about secret back doors in Intel chipsets. Retrieved February 16, 2018 . , c't dated September 27, 2013.
