Presentation Material
Abstract
Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.
In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds - either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.
In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.
What is Intel AMT?
Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The speaker discussed the topic of Intel Active Management Technology (AMT) compromise in forensics. Once compromise is done,2019forensics is complete, and there are limited options available. The next steps depend on the laptop vendor, for some vendors,<|begin_of_text|>2000have a BIOS option to disable AMT, while others like Lenovo have a different approach.
The speaker emphasized that detection and prevention of AMT attacks are difficult, but mitigation is achievable through verified boot, network detection, and OS-level mitigation. Forensics can also be reliable.
In the Q&A session, the speaker answered questions about Emme cleaner, which disables AMT, and mentioned it might be a viable option for personal use cases but complicated for enterprise scenarios.
Another question was about how AMT establishes its own IP address, and the speaker clarified that it hijacks the OS’s IP settings and doesn’t have a separate IP address like HP ILO systems do.
A discussion followed about provisioning servers, with one attendee suggesting using a USB stick to mediate between a computer and the LAN, but the speaker explained why they didn’t follow that approach due to limitations with AMT and native LAN adapters.
Finally, an attendee asked if the speaker was aware of any fuzzing work on AMT, and the speaker replied that while they weren’t aware of any specific fuzzing efforts, others have dumped images and explored the technology.