Intel AMT: Using & Abusing the Ghost in the Machine Parth - - PowerPoint PPT Presentation

intel amt using abusing the ghost in the machine
SMART_READER_LITE
LIVE PREVIEW

Intel AMT: Using & Abusing the Ghost in the Machine Parth - - PowerPoint PPT Presentation

Aug 04, 2023 315 likes •811 views

Intel AMT: Using & Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com Enterprise Infrastructure Protection 1 Project Goals 1 Explore the best* practical attack using Intel AMT 2 Present a holistic perspective

slide-1
SLIDE 1

Intel AMT: Using & Abusing the Ghost in the Machine

Parth Shukla - timevortex@google.com Enterprise Infrastructure Protection

1

slide-2
SLIDE 2

❏ My Story of Attack ❏ Options for Detection, Mitigation and Prevention ❏ My Story of Forensics

*stealthiest attack with least amount of effort

Project Goals

Explore the best* practical attack using Intel AMT

1

Present a holistic perspective covering:

2

2

slide-3
SLIDE 3

Intel AMT Background

3

slide-4
SLIDE 4

What is Intel AMT?

➔ Intel AMT = Intel Active Management Technology ➔ Out-of-Band (OOB) remote management ➔ Always-available solution ➔ Module within the Intel Management Engine (ME) Ideal Use Case: Remote installation or IT support

4

slide-5
SLIDE 5

AMT Core Features

➔ Power Management ➔ Boot your own image ➔ KVM ➔ Serial-over-LAN (SOL) ➔ Client Initiated Remote Access (CIRA)

5

slide-6
SLIDE 6

High-Level Requirements for using Intel AMT

Disabled Enabled Provisioned Unprovisioned AMT Module within ME OOB Admin Access

BIOS setting AMT setup (local or OS or remote) Manufacturer decision

AMT supporting Hardware profile

6

slide-7
SLIDE 7

AMT Provisioning Options

CCM = Client Control Mode => Limits AMT functionality ACM = Admin Control Mode => No limitations *Can be upgraded to ACM with additional steps

7

Provisioning Method Provisioning Mode Local Agent on OS CCM* Remote ACM USB ACM Physically via BIOS MEBx menu ACM

slide-8
SLIDE 8

AMT in the News

➔ INTEL-SA-00075 - escalation of privilege vulnerability

◆ Patch available for all affected versions

➔ PLATINUM group using Serial-Over-LAN (SOL) as a back-channel

8

slide-9
SLIDE 9

Open Source Tools

http://www.meshcommander.com/ ➔ MeshCommander ◆ Useful for creating setup USB ◆ Allows using AMT capabilities such as KVM, SOL ➔ MeshCentral2 ◆ Allows managing a fleet of AMT machines ◆ Contains MeshCommander ◆ Contains admin server needed for CIRA ◆ Under active development

9

slide-10
SLIDE 10

Abusing the Ghost

An attacker's dream?

10

slide-11
SLIDE 11

Attacker Goals

❏ To control AMT on sample laptop by provisioning it ❏ To maintain constant & persistent access ❏ To be stealthy

11

slide-12
SLIDE 12

After those Goals are achieved?

➔ Equivalent to having repeated physical access ➔ Boot custom OS ➔ Hijack passwords through bootloader/kernel replacement Difficulty: Easy to Hard Standard attacker ➔ Insert SMM backdoor into flash chip ➔ Live undetected ➔ Access is uninterrupted on OS reinstall Difficulty: Hard Sophisticated attacker

12

Note: The attacks are not specific to AMT

slide-13
SLIDE 13

Provisioning attack vectors

Subvert supply chain Access: Unfettered Complexity: High Have root/admin on machine already Access: Unfettered Complexity: High/Medium Local Physical Access: Time-constrained Complexity: Low

Option A Option B Option C

13

slide-14
SLIDE 14

Attacker Goals (Updated)

❏ To control AMT on sample laptop* by provisioning it ❏ Via physical access ❏ In under 60 seconds ❏ To maintain constant & persistent access ❏ To be stealthy

*Target Device: Lenovo X1 Carbon 2016 with AMT 11

14

slide-15
SLIDE 15

Attacker assumptions for target laptop

1) Machine has Intel AMT support and, 2) Intel AMT has not been provisioned already and, 3) MEBx password is default (usually the case) and, 4) Either: a) AMT is enabled (usually the case); or b) BIOS password is not set (usually the case).

15

slide-16
SLIDE 16

Ideal steps for an attack

  • Look for opportunity or create distraction

Physical Access

  • Reboot with provisioning USB plugged in
  • If USB fails then enter BIOS to enable AMT and retry

Provision AMT

  • AMT connects back to us via auto-dialed CIRA tunnel

Profit

16

slide-17
SLIDE 17

17

slide-18
SLIDE 18

USB provisioning findings

Bad Good

Value scale ◆

MeshCommander used to create ‘setup.bin’

USB provisioning works painlessly

Cannot set CIRA settings via USB

Remote provisioning server can be set

Provisioning server in turn can set up CIRA

Easy-to-use GUI tool Cannot setup CIRA

18

slide-19
SLIDE 19

Getting CIRA to work

Set provisioning server via USB

Cost: Custom Infrastructure

Manual Setup through LAN

Cost: Increase Attack time

Option A Option B

19

slide-20
SLIDE 20

Attacker assumptions for target laptop (Updated)

1) Machine has Intel AMT support and, 2) Intel AMT has not been provisioned already and, 3) MEBx password is default (usually the case) and, 4) Either: a) AMT is enabled (usually the case); or b) BIOS password is not set (usually the case). 5) Machine has native LAN (directly or via special adapter)

20

slide-21
SLIDE 21

Attack Steps

➔ Setup USB

◆ Using MeshCommander

➔ Setup C&C Server

◆ Using MeshCentral2

➔ Write AMT CIRA script ➔ Bring LAN Adapter + Cable Preparation 1) Reboot & Plug in USB 2) Plug in LAN Cable + Adapter 3) Trigger script to setup CIRA Next: Check C&C Server Execution

21

slide-22
SLIDE 22

CIRA Setup! Connected to AMT via CIRA tunnel initiated by the laptop

22

slide-23
SLIDE 23

CIRA is setup to tunnel out

  • ver WiFi

23

slide-24
SLIDE 24

Full KVM via CIRA tunnel Cannot do this

  • ver WiFi without

OS agent or driver help

24

slide-25
SLIDE 25

WiFi as a limit

Attacker Impact Limited

  • WiFi profiles must be added into AMT
  • Attacker needs to know local APs in advance
  • Needs to know credentials(s) for AP(s)
  • Boot injection attack becomes more involved

(must not load WiFi driver in custom OS)

Note: Over time, Intel may bridge feature-gap between WiFi and LAN to bring parity

25

slide-26
SLIDE 26

How to Detect, Mitigate and Prevent?

26

slide-27
SLIDE 27

Detection

➔ Look for Intel AMT’s well known network ports ➔ Traffic can be in the clear ➔ But CIRA can use Mutual TLS Detection Likelihood: Possible Network based ➔ Query the ME Interface (MEI) for AMT status ➔ Tool exists for Windows ➔ Custom tool deployment required for Linux Detection Likelihood: Most likely (if tool deployed prior to OS compromise) OS Agent based

27

slide-28
SLIDE 28

User Detection

Always a possibility of detection by user

➔ Custom OS boot can be seen ➔ Windows tray app ‘IMSS’ will show pop up (app sometimes default installed) ➔ KVM will display animated sprite on screen

28

slide-29
SLIDE 29

Mitigation

➔ Verified boot chain ➔ Bind HDD encryption against “correct” TPM PCR values ➔ Remote attestation Status: Windows: Achievable Others: Good luck! Ideal ➔ LAN usage on laptop is rare ➔ Enterprises with proxy-only access ◆ CIRA will not work ➔ KVM usage will display sprite Status: Done Existing

29

slide-30
SLIDE 30

Prevention Options

Buy machines without AMT Difficulty: Medium Fully Provision AMT yourself Difficulty: High/Medium Disable AMT (in factory or BIOS) and Set BIOS password Difficulty: High/Medium

Remove Control Disable

Note: Difficulty described is for an enterprise with large fleet of machines

30

slide-31
SLIDE 31

If you are an incident responder...

31

slide-32
SLIDE 32

What if?

AMT forensics?

  • Someone takes over AMT on your machine
  • You somehow detect it

32

slide-33
SLIDE 33

When your fears come true

Provisioned AMT detected on a Linux lab desktop ➔ Admin password unknown ➔ Owner: “I have absolutely no idea who installed AMT or why.” Time to investigate!

33

slide-34
SLIDE 34

First up: Due Diligence

➔ Check network logs ➔ Verify BIOS integrity

34

slide-35
SLIDE 35

Ask Intel for help

Q: How to do forensics when we don’t know AMT admin password? A: Pointed to an existing AMT status report tool. Windows only. Nothing for Linux

35

slide-36
SLIDE 36

Ideal vs Reality

➔ Linux tool ➔ Full AMT Audit Log Want ➔ Windows tool ➔ AMT provisioning record Got

36

slide-37
SLIDE 37

Learning from Windows Tool - $$osAdmin

Peered into Windows Tool ➔ Calling GetLocalSystemAccount using the ME Interface (MEI) ➔ Using AMT built-in user $$osAdmin to retrieve information Replicated idea to Linux* using IOCTL ➔ Found that $$osAdmin cannot be used over network *Code is being open sourced! Repository link at the end.

37

slide-38
SLIDE 38

Source: Page 45, Chapter 2, Platform Embedded Security Technology Revealed by Xiaoyu Ruan *Linux LMS = https://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers

Need this*

38

slide-39
SLIDE 39

Retrieving AMT Audit Log

Building LMS on Linux required minor fixes* Full AMT Audit Log dumped using $$osAdmin creds and LMS* ➔ WSMAN API calls used to retrieve the log entries ➔ Each log entry was base64 encoded ➔ Decoded string seemed mostly garbage

*Repository contains LMS patch + code to dump log along with a README file

39

slide-40
SLIDE 40

Decoding the logs...

Intel AMT SDK reference code to the rescue Findings:

*Repository contains the decoding code

40

➔ AMT setup on 2015-01-23 ➔ But machine received on 2016-09-27 ➔ Factory fault or interception? IPs from AMT audit log match network logs Close the investigation?

slide-41
SLIDE 41

Where has this machine been?

Ask vendor for machine history 26 emails and 2 weeks later…

41

slide-42
SLIDE 42

Recently learnt information

➔ MicroLMS as an alternative to LMS

◆ Comes with Linux mesh agent from meshcommander.com ◆ Source & Windows stand-alone binary available

➔ MeshCommander has “Save All State” option

◆ Makes every AMT WSMAN API call and saves it as a JSON

Intel: "Based on customer feedback, Intel is evaluating improvements in support for Linux AMT Tools, and enhancements to AMT Auditing to facilitate access to the AMT Audit Log and expose additional audit information.”

42

slide-43
SLIDE 43

Recovery?

43

slide-44
SLIDE 44

Defer to Vendor

➔ API call AMT_SetupAndConfigurationService.Unprovision exists ➔ But $$osAdmin not authorised to call it if in Admin Control Mode (ACM) Look for BIOS option to “Unconfigure AMT” ➔ Some vendors don’t have this for security ➔ Some vendors do have this for convenience ➔ Some vendors combine it as part of the “Disable AMT” flow

44

slide-45
SLIDE 45

What you can do

Prevent, Mitigate, and Detect!

45

slide-46
SLIDE 46

Questions?

timevortex@google.com

Slides: https://goo.gl/n3ujKJ Code: https://github.com/google/amt-forensics

46

slide-47
SLIDE 47

Image Credits

License for below: https://creativecommons.org/publicdomain/zero/1.0/deed.en Slide 3: StockSnap, https://pixabay.com/en/cup-coffee-mug-notes-diary-pen-2572893/ Slide 10: geralt, https://pixabay.com/en/woman-stylish-at-internet-network-163426/ Slide 11 & 14: TeroVesalainen, https://pixabay.com/en/target-goal-success-dart-board-1955257/ Slide 15 & 20: mstlion, https://pixabay.com/en/stamp-accepted-symbol-accept-1966698/ Slide 26: OpenClipart-Vectors, https://pixabay.com/en/sherlock-holmes-detective-147255/ Slide 31: geralt, https://pixabay.com/en/matrix-binary-security-code-2503236/ Slide 33: DirtyOpi, https://pixabay.com/en/funny-pictures-funny-676672/

47

slide-48
SLIDE 48

Image Credits

License for below: https://creativecommons.org/publicdomain/zero/1.0/deed.en Slide 34: 472301, https://pixabay.com/en/checklist-clipboard-questionnaire-1622517/ Slide 35: OpenClipart-Vectors, https://pixabay.com/en/help-button-red-emergency-support-153094/ Slide 41: JerzyGorecki, https://pixabay.com/en/bridge-wooden-bridge-transition-2769777/ Slide 43: dramitkarkare, https://pixabay.com/en/restart-cushions-funny-ctrl-alt-del-2787877/ Slide 45: OpenClipart-Vectors, https://pixabay.com/en/note-notepad-pad-paper-remember-2025016/ Slide 46: jarmoluk, https://pixabay.com/en/microphone-it-lecture-entry-sound-2775447/

48