Is Intel Active Management Technology (Intel® AMT) really a snooping technology?

I happen to come across this article talking about the potential risk with Intel® AMT technology. The article goes on to say "But what if it were hacked? Or what if they hacked it?"

And get access to the data stored on the non-volatile memory. Hmmm... I don't think so.

IT administrators managing large network of computers have been screaming for a solution that enables them to monitor systems and repair them remotely (obviously in a secure way), thus simplifying the overall support overhead. The information stored in the non-volatile memory is very limited for this purpose and this provides a solution for a real IT problem.
Some users are claiming here that "It'll get out, it'll be compromised. Count on it. And, the best part, your computer doesn't even have to be turned on!"

On the other hand, Intel AMT is designed to do exactly the opposite to improve the security and compliance in the enterprise computing environment. And Intel engineers have put their best minds together to architect a secure solution. Read more here..

"Attacks via the internet are on the increase, and some have suggested the proceeds from cyber crime exceeded revenues from the sale of illegal drugs in 2005. Managing a "farm" of hundreds or thousands of "zombie" PCs to use as tools for spreading spam and malware can be a profitable business venture. As long as modifications can be made to Operating System components, individual PCs attached to networks are exposed."

I am bringing this topic up in this blog to discuss it head-on. I am curious to see what users of this community (who are actively developing applications using Intel AMT technology really think) and the Intel AMT technical experts think. Well, is this really a problem?
For more complete information about compiler optimizations, see our Optimization Notice.


's picture

As in most things, I think it depends. For starters, yes AMT has certificate based security that is hard to break, but anyone who has setup good security knows it's a pain in the butt, and many skip.

The web based configuration interface in secure, but not to the same level. Lazy admins could leave holes.

That said, you can't get to the OS through AMT unless you have already compromised the OS, in which case, who cares that you hacked the management engine.

Mostly if you work hard to hack the system, you could be annoying and reboot systems. That was fun in college (when we used to flood ping Macs to reboot them), but not a target rich environment.

's picture

We can trust this technology if and only if three things happen:

1) Intel offers a mode where the owner of the machine holds the ultimate key/certificate and there are no backdoors beyond his control. (This need not be the default mode. But it must exist and be documented.)

2) The network protocol is documented completely. (No hidden features, undocumented options, and so on.) Users must be able to completely understand what they are allowing to be done remotely.

3) Intel specifically warrants and guarantees that there are no surprises, that is, there is nothing intentionally put in that is not in the documentation. Intel must also warrant that the code and silicon design have been audited for backdoors and that all updates and new versions will be similarly audited.

ajay-mungara (Intel)'s picture

Thanks for pointing out what is expected from the user to gurantee that the Intel AMT technology is not a snooping technology. I will work with the product engineers and respond to your points in a follow-up blog entry.

ajay-mungara (Intel)'s picture

Thanks for your comment David. I am posting the response to your comment, but feel free to respond back if you find that this response does not adequately address your concerns.

Intel AMT being a manageability technology puts a lot of ownership and the ability to control in the hands of the IT administrators. The whole reason for the IT department to manage the computer is to enforce standards and compliance to any corporate standards. The actual keys are stored and managed centrally by the IT administrator. AMT also has a capability for the owner of the machine to establish the ownership by setting the password in the bios, so they can determine who has access to the machine by controlling the password.

There already exists a lot of documentation. We also should admit that we can do a better job at documentation. All major interfaces and APIs are fully documented, but there a few local interfaces that we are working on getting them fully documented and they will be made available on this community website very soon.

Auditing and security is something Intel is very strong at. We have had numerous deep security, privacy and code reviews internally and externally to uncover any exposures or risks that our implementation may have. We have done a lot of work in this area.

's picture

I am currious why every time I login to the pc, I get a box that pops up notifying me of the AMT. I find this particularly annoying for end users, and there is no was to disable the notice. Thanks!

ajay-mungara (Intel)'s picture

Hi Lori,
I am sure there must be a way to disable the notice. I posted your question to our discussion forum which is monitored by Intel technical Experts. Please refer to this URL for a response.

Ajay Mungara

ajay-mungara (Intel)'s picture

Hi Lori

One of our engineers "Ylian" responded to your question on the forum:

"That's an excellent question, I can't tell you just how annoyed I am myself by that pop-up message. Personnaly, I run "msconfig" and remove all Intel AMT auto-run applications and services except for the LMS service which is useful for accessing Intel AMT (The Intel AMT HECI driver). At this point, I do it so fast each time I setup a new computer, I don't even notice I am doing it anymore.

I imagine that the popup addresses some sort of privacy issue. On my own computers this is certaintly not an issue. It would be nice if this app included help to explain what is Intel AMT to users and why this warning would be useful.
Ylian (Intel AMT Blog)"

This really looks like a annoying problem. Thanks for your feedback. I will take this back to the product team.

Ajay Mungara

ajay-mungara (Intel)'s picture

Hi Lori,
You can find the instructions to disable the AMT privacy popup in the following blog post.

Thank you for bringing this to my attention. Appreciate it.

ajay-mungara (Intel)'s picture

@text to speech: Can you be more specific about the new technology you are talking about? I have heard about a couple of things that are in the pipeline, but I am not sure which one you are referring to. It is actually a good thing that we are seeing more and more products with the remote PC management capabilities.

kylezo's picture

Ok I hate to open this can of worms, but I am a non-business oriented end-user and I want to completely remove AMT functionality from my computer, including all associated software, processes, services, etc. I uninstalled everything but then everytime I start the machine up I get a "Found New Hardware" installation wizard. So I tried to disable the devices in question (PCI Simple Communication Controller PCI\VEN_8086&DEV_2A44 - Intel Management Engine Interface and PCI Serial Port PCI\VEN_8086&DEV_2A47 - Active Management Technology - SOL [Serial Over Lan]) and the prompt still came up each startup. So I went looking for the drivers only for these 2 devices and HP Business Support linked me to a 'SoftPaq' that included all the software and services (I should have guessed, even though I explicitly asked them if this included the software and services and they said no). Of course, it also included the drivers.

So, I am back to square one (ok well, not really, the REALLY hard part was removing all that ActivClient crapware from my machine). Any advice on how to get this off my computer completely? Installing the device drivers would be fine if it didn't come with all the software and services.

As it stands, with HP support, my case has been 'escalated' to a Supervisor and I should expect a call within the next 24-48 hours.

So, any ideas with this?