Intel AMT: Using & Abusing the Ghost in the Machine

thank you everyone so my name is path I work on a bunch of platform security related issues so my main focus is from where things have worked on lately is former integrity verification and firmware management so the things like patching science management bars passwords etc today we'll talk about Intel MT have to use it and abuse it as a warning I'm a Linux user so the presentation has a natural leaning towards it so here's what I wanted to do when I started working this presentation I wanted to explore the best possible attack using legitimate AMT functionality so I want to highlight that legitimate IMT functionality once I'd explored the attack I wanted to then present my story of that attempt all the

challenges roadblock encountered during a practical attempt hopefully showcase the complexities involved for an attacker you can decide how real how realistic this is for your scenarios given the various nuances they you'll see I also wanted to present all the available options for people to detect mitigate or prevent such attacks and finally present a story of how to do forensics if an attack does happen so I've got a lot of ground to cover hopefully we'll do it in an hour ok in this section we'll first start with background what is Intel AMT what are its core features what are requirements for using it how do you provision it what is provisioning even mean then we'll look at quickly what ami has been

in the news lately and the open source tools that are available for using AMT so what is a empty it's designed to be an always available solution even when there is no OS or even when the machine is off the requirement is it's available as long as network and power are connected so even though the machines off as long as there's power and network it's supposed to work AMT is implemented within the management engine DME DME runs on the chipset itself which is separate from main processor talking about DME is a presentation in itself so I won't go into that too much and since the a.m. tea is part of the Emmy which is in the

chipset it's effectively hard-coded into hardware hopefully you can see why I call it the ghost in the machine although that title is probably more apt for SMM if you've heard of that system management mode but that's a different story anyway let's take a look at the core features of AMT AMT allows you to do pretty much everything as if you are physically present so power management remote power on/off restart etc you can boot off a network image presented as a cd-rom or a floppy drive to the system so DME which is in the chipset will present a fully emulated ID cd-rom drive to the system so the OS doesn't thinks it's a physically plugged in CD drive

using the remote floppy we can actually even exfil data so I did that testing I mounted a large floppy which is a gig 1gb of floppy drive you know the different different sizes here the KVM so you can observe or take control over keyboard video mouse as if you are physically present again this requires the display to be connected to the integrated GPU or so which is usually the case for laptops desktops depends if you have a separate GPU card serial over LAN similar to the CD ROM a serial port is emulated by DME this has many use cases one core usage for managing BIOS so since most modern bios's allow redirecting the screen to serial so you

can reboot the bars redirected to serial and then which for your remote you can now see the BIOS and manager one of the most interesting features is the client initiated remote access or Serie 1 use cases the users off-site can initiate a remote help at boot time it will work with a broken OS or even with no OS so the idea is for AMT to connect to an admin server when you're off premise and create a tunnel for support support personnel to come back through so this way you can bypass the NAT or where it doesn't matter where you're in the world you connect out to an admin server and you have a tunnel now see a tunnel can

also be set to auto dial at a specified times for checking in centrally so this could be to check in for new settings or it could be to make sure the laptop has not been marked as stolen so you can dial out check with your admin server is everything okay everything is okay okay people can use continue to use the laptop so fully you've got a good idea of the core AMT capabilities next to other requirements for having it on your laptop or desktop so there are three steps for being able to use AMT remotely first is manufacture decision second is power setting basically in an on and off setting in the BIOS menu and the last is

AMT setup itself so because of manufacturer decision AMT is not present in most consumer devices so from my understanding the ME module in the AMT module cost extra for manufacturers in licensing fees that are include them in consumer devices but most business desktops or laptops usually come with AMT as an add-on and it's usually enabled in the BIOS by default some of the more beefy aspect consumer devices also come with AMT as an add-on feature just because it's enabled in the BIOS doesn't mean it's usable it has to be provisioned for it to be usable what is provisioned mean here it means to activate any of the AMT interfaces for usage to do that you need to do a

bunch of bare minimum settings that must be set and the process of doing setting those settings is called provisioning and what those settings are depends on how you provision it the method which we'll talk about next so let's took it let's take a look at the provisioning options the methods you can use to provision an AMT so generally speaking there are four broad ways you can provision AMT for usage and there are two provisioning modes once the provisioning is done the provisioning mode a cm or CCM is meant to reflect the level of trust required to complete the setup process a cm admin control mode CCM client control mode note that all of these kind of indem intermingle and can

be used in combination with each other so try not to think of them as distinct options these are just as I'll mention in a second so local agent dunno s for example first one requires Intel AMT software to be installed and running as root or admin on the box you can do this via our own custom tool as well in that case you obviously need admin privileges and you talked to the Intel ME interface to be able to provision AMT this method will put you in client control mode which will give you limited AMD functionalities you can carry out additional steps to transition into admin control mode but that that's a bit more involved but doable the second

option the remote option requires pre setup at factory or Y a USB to be enabled so in that case what happens is AMT will send hello packets on AMT LAN are for up to six hours after first boot the very first time a machine is turned on for up to six hours it'll send hallo packets then it'll turn off that time period is configurable just up to 24 hours usually so it's not a big security flaw the responding server that responds to the hello certificates must present a certificate that's pre trusted by AMT and the trust certificate is configurable as well again either a factory or with a USB key third option is USB in that case you put a set up got

bin file on a fat32 USB and configure AMT with it and this includes you can configure the certificates are trusted as well so again like I said that things come in to mingle you can use them with each other and finally provision can be done physically why the BIOS menu this is ten easy-to-follow steps that beacon that can be carried out in about 30 seconds note that these methods can be used to set further options even after provisioning is technically complete the line between provisioning versus configuration is a little blurry to be exact provisioning can be considered completed as soon as AMT exposes any of its two interfaces for you socially he has two interfaces local and remote

and this usually happens as soon as you change the default password so empty has a default password is admin as soon as you change it empties mostly provisioned it starts listening for API calls once provisioning is complete you can access the full set of options and features why why are the AMT api's but you can still use one of these options to set some other settings it's a bit weird the way it works anyway that's enough on provisioning AMT in the news maybe some of you have already heard of this a couple of quick mentions first we have the Intel sa 75 escalation of privilege vulnerability in short this is May I think this one made this year in sure it

was or maybe it was earlier in Charlie was HTTP digest oaths for AMT could be bypassed with a null or empty response so you just say I don't have a password for you and it goes okay you're in MT in in that in that case for an to exploit that obviously AMT needs to be provisioned and an attacker needs to be on the same network to be able to exploit it so it's kind of two to mitigating factors there a patch is available so if you haven't passed you may want to do that but if you don't if you don't have a computer if you don't have a lab or or you at work you don't

have everything that's actually provisioning AMT then it may not be so bad for you second thing is the Platinum there is a malware developed by the platinum group was you seen hiding communication from OS by using the serial over land that I mentioned earlier so we're using serial the land to in order to bypass local monitoring on the OS so if a lot of times you have OS level monitoring for network packets and they were using serial over land via AMT so that it couldn't be seen nice sweating exfiltrate data now is there more to come here in this space I think there is so there is an Emmy talk schedule cat London probably in a month or so and

it's it sounds promising finally in this section for the background section here's quick notes on the tools that are available everything is actually in one convenient central place I used both of these as well as the older mesh central for my attack in the next next slides it's all open source it's actually mostly developed by Intel employees yeah that's it okay so let's go back to looking for the best practical attack using Intel AMT now we know a little bit about AMT itself so when I started sexercise this is what I wanted to achieve obviously when I started I didn't know if this was really possible it seemed likely from the documentation that's why I start exploring the idea so

my goal was to a control AMT be maintained persistent access and see you remain stealthy in the process so before we proceed to try achieved those goals let's just one quick slide on what we can do afterwards assume we've achieved that what can we do next so just so you can see an end to end goal here I didn't actually carry any of these out but since there's nothing specific to AMT this is not specific to MT is just general exercise so if you're a standard tracker once you have AMT control you can use it to restart the machine boot your own disk then replace if the disc is encrypted then you can replace the

unencrypted boot parts to hijack disk encryption password come back a few days later use the encryption password to replace binaries on disk and get the machine to connect back to your C and C you basically have route now anyone with repeated physical access to your machine today can do this with the difference with am T's you can do it with potentially just one-off physical acts us the reason I put down easy to harden in the difficulties because the success here depends on a few factors such as if you have secure boot and/or trusted boot being used even if some or all of those are being used to how the BIOS is protected also contributes we'll touch

on it again when we talk about mitigations later on as a sophisticated tracker you can use AMT to restart machine to your own boot disk again but at this time you can insert a system management more mode backdoor into the flash chip itself since we have root in the Box we can we can talk to the flash trip this is not as universal as it as the previous attack standard attack because most machines severely lock down writing to the bias region so that usually complicates your life now did I miss a scenario here what would you do if you had a empty control 'once on this machine so you can tell me right at the end question time

all right so let's explore our first aim of getting AMT control what are our options for provisioning AMT on a target machine so option a we can subvert the supply chain the complexity is high you can say this is medium depends on how you define it likely attacker is highly resourced attacker casting a wide net or targeting someone provisioning a method anything you have physical access to the machine you can route remote setup you can do USB you can do bars menu whatever you like the medium you can say medium here if you think maybe you'll maybe you'll attack someone who's posted their laptop and the lab has been left unattended on the street for an hour or so and you'll

grab it or something and it depends on what you define that subverting supply chain second option is you can have root or admin the machine already in this case the provisioning method will be local agent on the OS the complexity is high for well-secured OS at least or medium if you think getting root on a box is easy another reason for highs because provisioning while local agent will get you climb control mode and not admin control mode the likely attacker here again is sophisticated tackle looking for long term persistence because if you already have root in the box you kind of wonder why you want a Mt both of these are hard to carry out and

unlikely for different reasons for the last one physical access seems the most easiest to me so complexity is low a likely attacker is someone who's targeting you or opportunistic could be evil made type attack or shipment interception the provisioning method here is either USB or pious menu so you're assuming you don't have written a box you can log into the machine let's twinkle goals because I think physical access seems the most likely most easiest to proceed so easiest attack vector requires physical access so desktops are excluded assuming that desktop facilities are well secured laptops also travel and get left unattended you know I assume you go out and drink and you leave your laptop in the hotel

so it seems realistic I've written Lenovo x1 carbon 2016 here as the target machine but I've also tested some other machines ok let's talk about some assumptions so we know what our basis firstly obviously the machine we target has to have AMT next Intel empty should not have been provisioned already some biases allow one provision inform the bias menu but others do not so if the boss doesn't have a password then attacker go into the BIOS store and provision the AMT and then reprovision it with their own password thirdly the meb X password which is also known as the Emmy password should still be the Intel default which is admin this is usually the case if you buy in large

enough quantity you can ask the manufacturer to change this to something else but unless you're gonna use AMT why would you do it right finally either AMT should already be in abled or a biased password is not set so we can enable AMT ourselves so observation here is HP will not let you enter the AMT setup bias menu without the boss password but Lenovo will hence a wise not a requirement for our attack the learner is what I used ok so here's an ideal attack scenario look for an opportunity or create a distraction then since we'd like to spend as little time as needed to provision and set up the USP IMT we will use the USB to order

provision AMT and then set up AMT to auto start a CR session to call out to my command and control server and we should be we should be good that's it that's what the documentation say should work let's see what what really happened so this is this is the ideal do this walk away unfortunately there was a few hiccups so here's what I found trying to do this so USB provisioning file can be really easily created using the open source software I already mentioned the USB provisioning worked even when it shouldn't and it when it seemed it shouldn't work so these cases are like it worked even when there was a pass password set it worked even when I had

disabled always on USB it worked even when I had removed USB from the boot priority order it just worked it just always worked but the downside was I could only set a very limited number of settings why a USB and the one setting I could not set that I really wanted to set was ceará so but what I could set through USB was a remote provisioning server which what it does is it AMT will call out to a remote provisioning server and ask for morph settings which could include 0 but I can't set up see her directly so this this makes life a little more complicated than I wanted but that that's what I was stuck with so

I had a couple of options to get see where to work so option eight set provisioning server via USB and use that the provisioning server to push the crs settings I wanted firstly the provisioning server will have to be on the same network won't work on an external Network because responds to how those packets won't be received by AMT without a cor tunnel which is what I want to set so we'll need to bring along a Raspberry Pi or something similar running the provisioning server secondly there is no easy to use Linux software for the provisioning server and I don't want to write one the open source tool that I mentioned earlier is being actively

developed and they are gonna add this functionality at some point so I didn't want to double up the effort so option B manual setup through LAN so there's an increased attack timing in this case once the AMT is configured via a USB I would connect the laptops land to my own network and use AMT API calls to set up zero because once empty is provisioned I have full API access this adds about thirty seconds to the attack if API calls are pre-scripted or I cannot do it about or or three minutes if you do this why nice GUI so there's a video from mesh central developer on YouTube titled mesh central to intel amt serie it's

perfect title and it shows you exactly how you can do it using GUI I ended up going with option B which is easier for now I didn't want to rewrite what they're gonna write anyway in both cases though you need either a built in LAN or native line adapter so let's update our assumptions slide so for our attack the machine needs to have either built-in LAN or native land adapter which MT will use to listen by default USB LAN adapter will not work since AMT doesn't listen to it by default so for the x1 carbon that I was using it doesn't have built-in land but it has a custom LAN adapter so you can buy this little

adapter it plugs in and as seen as native by the OS and by the system and then aim to listens to it anyway so that's it worked out and for my quick research I think generally speaking business laptops either generally have plan or have an adapter like the x1 to a lab for land because I there's they usually like dockable stations so this still seemed like an acceptable Lister for something's to me okay so attack steps set up USB setup command and control server right AMT CRS script bring LAN adapter and cable execution is reboot plug in USB plug in the LAN cable and adapter trigger script to set up 0 and then walk away results here we are

connected to connected into the laptop via serie we can see that series setup it is configured to dial out to my server every 10 seconds and maintain a persistent terminal forever as soon as the connection is established so it'll keep trying every 10 seconds depending on it the internet is up or not and as soon as it's established it will stay connected so that I can tunnel back in that's how I'm looking at the screen in mesh central to here you can see takes care of the rest I don't really have to do any anything advanced I even configured see our dial out over Wi-Fi in case the LAN is down in this screenshot I'm connected to a

MTV I see our tunnel which was established over Wi-Fi so you can see wireless link is up wired link is down I also tested KVM over the Sierra tunnel this was tested over land only though doing this over Wi-Fi without an OS agent or helping a Wi-Fi driver is a bit complicated the way it's meant to work as AMT would hand back control of Wi-Fi radios to the OS whenever the Wi-Fi driver is loaded in the normal use case the Wi-Fi driver is meant to pass the messages between a MT and the OS or an OS agent is meant to take over I didn't try this as we didn't assume having that level of access

access from the beginning because we need to kind of root access to be able to load our drivers but as an attacker you can load the correct driver or agent once you have control so once you have a empty control then you can load the correct drivers so you can load your own custom OS which has the correct driver some of the elephant trunk are some function ID I did not test so remote mounting and booting the disk through mesh central it's not implemented yet again it's active development so just waited I'll wait a wait a bit and I'll show up I did test that independently as I mentioned earlier I'm a floppy drive and exfilled some doubt I've just just

for the fun of it so Wi-Fi is a bit of a limit so AMT seems to be most useful when the machine is connected to land some people do use laptop docks file and but it's not significantly reliable as mentioned before Wi-Fi control is handed to OS when the Wi-Fi driver loads but the bloated driver which comes with Windows may be the correct one by default again also to use Wi-Fi at the profiles for Wi-Fi must be loaded into AMT so empty supports up to 16 Wi-Fi profiles the attacker needs to know which local ApS are likely to be available and know the credentials passwords or certs to use to connect to them so if you're surrounded

by well-known a a piece then you should care about this a bit more the boot injection attack I mentioned earlier a standard attacker is still possible of a Wi-Fi when you boot your custom OS you have two choices either don't load any Wi-Fi driver so the Wi-Fi sorry the the radios control isn't handed over the US or load the correct driver and then connect out through that so either way is fine so as a driver doesn't try to take control the radio's AMT will keep working for a full list of limitations with Wi-Fi there is a doc titled key differences between wired and wireless Intel AMT support so you can check that out if you want to

know more hopefully you've got a fair idea of what's involved of using AMT for an attack despite the Wi-Fi limitations it definitely seems like something to be worried about since it has such powerful legitimate features this concludes the attacker focus side of the presentation next what can US defenders do it's kind of what I do generally defense let's look at options we have for detection mitigation and prevention first up how do we detect when an attacker is abusing the ghost of the machine sorry two options network based look for well-known network ports so remote configuration provisional requests always call out to TCP 971 which is hard-coded into the Emmy so you can look for that on your network for example

source ports for AMT initiative packets for ease for example sirrah are always between 1 6 9 9 2 & 1 6 9 9 5 so these are the posts that are reserved for AMT and a hard-coded in DME that cannot be changed by anyone these and the reason for this is because the way the AMT listens to API calls or listens to anything sent to it is by hijacking the network adapter directly so if every packet that goes through a network adapter gets looked at by the AMT and if it matches this port it gets grabbed before the OS sees it so you can't just listen to all ports because then the OS won't get any packets so these ports are

hard-coded for a good reason

see connections can be mutual TLS but they're always at least TLS so in for serie the way it works is server public key is inserted into AMT a setup time like I mentioned earlier either way USB or factory aim T will then generate a certificate the private key of which can never be exported and the server will use that certificate on the command and control side to establish trust and whenever CRI is running all inbound network ports are closed so you can't probe AMT but if the attacker is not using ceará you can do AMT port scan and it will respond to 16.9 to the problem here is can you really distinct distinguish between AMG traffic and OS

traffic if it's all mutual TLS most modern OSS hopefully shouldn't reuse AMT ports because is already reserved so you should never see OS traffic coming from them so this is detection like low-tier is possible in my opinion and the second option you can do is have an OS agent running on your s so the OS agent can talk to the ME interface and then query the state of the AMT and say hey is this enabled this is a provision and if it's provision then you can have a signal if the attacker already controls the OS when your agent is running then they could fake the response so the tool needs to be deployed prior to OS

compromise so if if it's deployed at a reimage time for example then you're good for Windows this is not too hard because there's an existing tooling that Intel is made available for Linux a bit of effort because you need to write some custom tooling as an aside I did a network capture of the CRS sessions using a physical network tap that was sitting between the Lenovo laptop and the lamb just to just to see how it worked and I confirmed the mutual TLS connection I had no idea what going on there's also the possibility of detection by user so custom OS boot can be seen by a user windows tray app IMSS will show pop up whenever AMT is

provisioned or any AMT related action is performed this is sometimes this app is sometimes installed by default by manufacturers but obviously enterprises that roll their custom build probably wrote it so it depends obviously unknown if users will even notice or understand what the little pop-ups mean so again it may work in your favor may not and finally as you can see with the screen shot KVM if you do a KVM it will always display an animated sprite on screen to warn the user this cannot be disabled but on the other hand if you're an advanced attacker you will probably try and do this when the user is asleep so hopefully they won't notice but the

possibility remains for you mitigations what can you do to mitigate such types of tax so the ideal is you have a verified boot chain you bind the hard drive encryption keys against correct TPM peace are values and you have remote attestation how does the verified boot chain help you can't replace a bootloader with a malicious bootloader because the machine would no longer boot and unlock the hard drive so the user will notice that someone's booted a customer OS and replaced bits on their disk the reason it's achievable for Windows is because secure boot is supported and BitLocker is available which uses TPM making sure is set up correctly is a different problem though especially for

enterprises for example BIOS pass first don't exist on most laptops so secure boot can be disabled by the attacker using AMT right you can boot it into the BIOS disable secure boot but TPM bound hard drive trypsin won't be bypassed and user will be notified by asked for recovery key for example and whether the user how the user reacts really depends on your enterprise existing mitigations that already exist is not many people use land regularly over on their laptop enterprises that only allow internet access through a proxy will be saved as Sarah won't work wire proxy so if all your internet must go through a proxy then Ceara won't work with using KVM attackers can try avoid

using KBM when they think people might be using the machine at night but like as i mentioned there's always a possibility of discovery all right what about finally how do you prevent all such tax altogether by machines without AMD unfortunately it's not as easy as it sounds because buying for an enterprise is complicated because mostly highly spec machines come with a MT by default so you either downgrade your machine or you put up with AMT second options you can control the AMT so you get in there yourself first provision the AMT and once it's provisioned and a biased password is set then you're good this is also a lot of work because you need to

kind of sign up for enterprise rollout or management so depending on how big your enterprises this could become a nightmare and the last option is disabled AMT and set a password so the attacker cannot re-enable it now lots of vendors and tooling means there's no easy way to do this for a whole fleet so if you have a fleet of a thousands of machines with different vendors different os's you're you're in a bad spot and that's kind of where we are it hasn't been standard practice to request the ability to control all of these settings from the OS so the tooling that exists is sparse and sort of work sometimes sort of doesn't work and there's no standard

as an aside there's a fourth option specifically full of novo because the BIOS has a setting called permanent disable AMT I didn't try it because I have no idea what will happen but it's yeah now the setting the bar space word again is is a related problem to setting the AMT disabled or not a whole whole fleet you don't want the same password on your whole sleep because your effectiveness is kind of reduce if it leaks then the attacker knows it so what you really want is unique passwords per machine so password management it feels like the 90s but that's where the biases are so in short the two real options you have is to either take control yourself

or disable AMT instead of Bart's password finally obviously need to make sure that the bias actually respects the disable choice the disable setting there was a bug with Lenovo to have the security advisory out from last year where AMT was set to disabled but the USB provisioning still worked so manufacturers fixing bugs hopefully all right so hopefully you understand the options you have available as a defender what about if you're an incident responder what if someone takes over MT on your machine and you somehow detect it what forensics options do you have D chipping is an option but it's not very scalable remember the M II is within the chipset so you could good-deed chip but if you

have to do this on a large scale it's gonna get very expensive very quickly the AMT API without knowing the admin password is useless and since the attacker has gotten before you you don't have the admin password of course we can try the auth bypass vulnerability I mentioned assuming you haven't passed it already but you should have passion right so what are your real options I didn't the read the way I explored this is through reality where a plugin i written for an internetwork scan at google detected a provisioned AMT during one of the regular scans and I've been passed on unknown and when I talked to the owner he said I don't know what this

is so we had found an AMT that was provisioned and we didn't know how to get into it so that's how this whole slide deck happened so some due diligence first a poly gov mine check network logs for everyone who ever talked to any of the AMT ports on that machine answer was all internal no an IPS and people nothing to I need to worry about I collected a BIOS dump using ger Sagar is Google's Incident Response tool it's open source so it allows you to so it has functionality that we coded last year to collect BIOS dumps from Linux machines so I collected a BIOS dump and verified that by matching it against the

official BIOS that I obtained from the vendor and taking them both apart using euphy extract that's actually the project that I spent most of my time on last year this is the same T stuff has been Merseyside work for me anyway the results of that comparison was all good I didn't see any anything that would look bad the BIOS is matched nothing nothing to worry about right things look good enough to close but you know you have this nagging feeling of well how does how did this get provisioned if nothing suspicious has ever happened so I reached out to the AMT team and asked how I could do forensics I had a quick meeting and

found out that no one had asked about this before I was pointed to a Windows tool which can be used to generate a status report of AMT I asked about Linux since the lab machinery detected was running Linux and I didn't want our windows specifically for justice but they don't have a Linux team anymore so there's nothing for Linux and the admin tool that I did test just said AMD was provisioned and I said I know so this is what I wanted a Linux tool and full AMT ordered longer so AMT has built-in functionality that logs everything you do with it amazing nice if the lock can be cleared by an admin but when you clear the log it leaves the

log entry saying someone cleared it so as long as I can get to this log hopefully I can see if someone did something but without any password I have zero access what I actually got was the Windows tool and as I said it just told me the AMT was provisioned and how it was provisioned interesting but not enough in my opinion so I spent some time observing the Windows tool and how it worked working at it I found out that it was calling get local system account where the ME interface the ME interface is exposed by a driver that interfaces with the Intel Emme what I learned was there is a built-in AMT user called Dola

Dola OS admin which has limited access and this get local system account retrieved the password for that user the password is randomly generated at each boot max once every 24 hours and the account that account cannot be disabled and the password cannot be controlled that user doesn't have anywhere near the same level of access as the admin user it's meant to be used for the OS for local provisioning so this is how when you have an OS agent and you try and do a local provisioning it uses this user to set up move to client control mode so I said about replicating this to Linux thankfully the me interface driver is already in Linux mainline so dev slash slash dev slash ME

ME I is where you can talk to the ME interface need ioctl to talk to it I wrote some quick Python hack to retrieve the credentials doing ioctl using Python was not one of my best moments I was very desperate for a solution at that time so this this whole process from start to end took two weeks and I was getting more and more desperate tomorrow I was trying to figure out why what was happening with this machine I managed to get the password 4.4 the OSS admin account but it didn't work I read a bit more and one of the limitations of the admin account is also that it only works locally so using the credentials to call

the AMT API over network doesn't work it seems like a good security measure but the OS if you remember earlier can't talk to the AMT directly because the network packets are stolen directly off the hardware adapter by AMT so when you try and talk via the OS through the loopback address the OS never touches hardware and so therefore AMT never sees those packets so you someone have to get to hardware from locally so this is this is where it gets fun so what next I [Music] found out that what I needed was the local manageability service here so what it does is it exposes all the AMT never puts to localhost and it's done via the

ami interface through some other api's so obviously there is the software is available for Windows nothing for Linux well actually not nothing for Linux there it was open sourced a few years ago but not maintained but I was able to use it with a few minor adjustments and proceed so we're truing AMT audit log building the local manageability service on linux required a minor fixes patch for getting it to build is part of the repository that's being open sourced here the bugs were pretty minor but I didn't have anywhere to report them since it's not really maintained it is it's just a zip file on a website not a good rapper I did eventually succeed in dumping the full

audit log using the creds through LMS so the way it worked was I ran my Python hack which got me the password for the Dola Dola OS admin account then I started the LMS service and then I talked to that LMS service and supplied the the username and password and now I was able to make the API calls and then now I can make the API call to retrieve the AMT audit log thankfully the empty order log was readable by that user I didn't have to be admin so the audit log records that I did get a 64 encoded the decoding the string revealed it was it seemed mostly garbage mostly because I could see words like

admin so there was there was some kind of a struct here that I didn't understand it was there's some ASCII readable words and some struts no public documentation on what that boasts basically for string was so Google failed me I continued digging I think I had a few more meetings and then eventually I got desperate and I started reading the AMT SDK so AMT SDK is a massive zip I think is 200 Meg's it's meant to contain simple code for all API calls I was hoping to find hints on pausing the audit log records so I unzipped it and I went he grabbed our audit log bad idea hundreds and hundreds of matches I think I spent at least two

three days just digging through the the MT SDK four layers of indirection later I did eventually found the strop but it was called something very generic it had nothing to do with a handheld lock but the reference for that struct is in the repository I'm open sourcing so you don't have to spend the same amount of time so and getting those structured occurred was actually also very painful because the field lens within the structs were being used to indicate whether the next field existed so the Python script that I wrote to decode from basic stiffer four into the structure and into something readable is which is being open sources it's quite painful as you'll see

so findings this is the spin show of the actual audit log from the machine that took two weeks away from me according to inventory Google received this machine on the 27th of September 2016 but according to the audit log and the provision record the AMT was set up on the 23rd of January 2015 so factory mistake shipment interception but nothing suspicious in the audit log the old log match the network logs that we detect that we already tried so the external network logs matched the audit the audit log from within the MDM he logged every login attempt that he had seen and the ip's everything matched so everything's good right safe to close the investigation this is this is as far

as you go guys I still had the nagging feeling of well still lied doesn't explain the full story right like we have a year gap or had how did we get a machine ship to us that was provisioned one year before we received it so

since we never want to leave any leaves unturned I emailed the machine vendor asking for history before we received it at Google 26 emails and two more weeks later we find out the machine was actually received in 2013 but it was received as part of a Linux test lab where they were testing the hardware to make sure that we could use it therefore it was not part of standard inventory and the way they used it in the test lab was by setting up IMT and doing remote installs and on the 27th of September 2016 is when it was no longer needed in the lab and it was moved to normal inventory pool and then it was lent out

to someone else and during that process the AMT was not disabled that's what my network scan picked up so at the end it turned out to be four weeks of waste for nothing it's a lesson for next time was actually inventories hard so next time when I have this case I first thing I do is track down what the machines been first because it probably was part of the Linux test lab anyway that concludes my forensic story since writing this presentation is new things that I've learned for an Intel micro LMS is an alternative to LMS the source and Windows tunnel and boundaries available so these are actually quite quite small mesh commander has in save old state

option which is useful for from a forensics perspective you can say you can make all API calls to empty and save it then you can look through it yourself later on and try and figure out if that gives you some more info and Intel is also now looking at exposing the audit log directly wired eme interface without needing user name and password to access it okay once light or quick slide on this recovery what are your options after compromise in forensic is done so you did have a real compromise you have finished forensics now what do you do how do you recover the machine depends so without knowing the admin password you cannot run provision

programmatically with the dollar dollar OS admin account it does not have enough right - unproven so it really depends on the vendor if they have a bias menu option - unconfigured AMT or not if they don't then I guess you have to reach out to them and ask for something unfortunately this I was hoping that you could do something here but unfortunately there isn't okay so finally in short we can say that attacking attacked in using AMT is possible detection prevention is difficult although mitigation is achievable and lastly forensics is reliable so what I found with forensics team that was frustrating I had high level of trust in what I got back as a takeaway I would highly recommend going

through my suggestions from the detection mitigation prevention slides to see which of them you can apply for your own personal or company situation so things to look at is detection network or a West level mitigation so start working a verified boot it will help with other attack vectors - not just a mt and lastly prevention so either provision aim to yourself or disable a MT set bias password or don't buy AMT machines ah thank you for listening if you have any thoughts on what I can do next happy to hear

so thank you bars anyone has any questions I have to do this quick so I can set up the nest egg next session thanks for your talk doesn't be a knife question if you hijack the amt can you believe I the code of the emitters outside EMT and in particular can you modify the code that SGX will rely on like the trusted counter and the not to the aim do you know so the Emmy code is signed so and the empty doesn't give you any control any API calls no legitimate API calls exists to let you talk to the Emmy there's no way to serve bread to talk to the bread HDX if you control the AMT no thank you what

most question you can always ask me later last question so you mentioned that you can for example provision your own server and for as a mitigation factor so is it how does AMT store like variable settings or everything is it possible for example for me to dump the SPI and replace like password hashes or I don't know replace the server so it would point to my own if I have physical access is it possible for me to replace those things or not so that's actually multi-layered question so variables are stored as part of the Emmy settings and that's an encrypted image you can reverse-engineer it but there's no easy way to do it if you dump the SPI flash

so as a setting itself you can change that easily you don't have to go to the SPI flash level right I mean it's through the bias menu you can just change it as in the server itself the web server itself as as in the code of it replacing it again it's not really legitimately possible so unless you find a vulnerability that allows you to bypass the encryption checks that Emmy does so hopefully that answers your question okay thank you bars thank you everyone thank you [Applause]