Intel Active Management Technology

Hardware-based management has been available on Intel/AMD-based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.

[1][4][5] AMT is designed into a service processor located on the motherboard and uses TLS-secured communication and strong encryption to provide additional security.

[1] Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering).

[6] Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed.

[1][6] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.

[1][6] Intel AMT supports these management tasks: From major version 6, Intel AMT embeds a proprietary VNC server, for out-of-band access using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle – including uninterrupted control of the desktop when an operating system loads.

Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

[1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.

A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.

[1][8][20][29] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down.

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.

[1][31] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.

[1] The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015[update]) Intel chipsets.

[35] Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS from Express Logic, storing state in another proprietary file system named EFFS in the FPT, but also having the magic MFS in it.

Support exists in various Intel Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment.

As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.

According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies".

For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco Self-Defending Network, and Microsoft NAP.

The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.

In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used.

For about 60 euros, Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.

[12][13] The vulnerability was described as giving remote attackers: full control of affected machines, including the ability to read and modify everything.

This allowed any person to simply log into the admin account on the devices by editing their sent HTTP packet to use the empty string as the response field's value.

In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.

[62][63][64][65][66][67][68][69] In November 2017 serious flaws were detected in the Management Engine (ME) firmware by security firm Positive Technologies, who claimed to have developed a working exploit of this system for someone having physical access to a USB port.

[81][82] In 2015, a small number of competing vendors began to offer Intel-based PCs designed or modified specifically to address potential AMT vulnerabilities and related concerns.

A part of the Intel AMT web management interface, accessible even when the computer is sleeping