intel amt using abusing the ghost in the machine
play

Intel AMT: Using & Abusing the Ghost in the Machine Parth - PowerPoint PPT Presentation

Aug 04, 2023 •315 likes •808 views

Intel AMT: Using & Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com Enterprise Infrastructure Protection 1 Project Goals 1 Explore the best* practical attack using Intel AMT 2 Present a holistic perspective

  1. Intel AMT: Using & Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com Enterprise Infrastructure Protection 1

  2. Project Goals 1 Explore the best* practical attack using Intel AMT 2 Present a holistic perspective covering: My Story of Attack ❏ Options for Detection, Mitigation and Prevention ❏ My Story of Forensics ❏ *stealthiest attack with least amount of effort 2

  3. Intel AMT Background 3

  4. What is Intel AMT? Intel AMT = Intel Active Management Technology ➔ Out-of-Band (OOB) remote management ➔ Always-available solution ➔ Module within the Intel Management Engine (ME) ➔ Ideal Use Case: Remote installation or IT support 4

  5. AMT Core Features Power Management ➔ Boot your own image ➔ KVM ➔ Serial-over-LAN (SOL) ➔ Client Initiated Remote Access (CIRA) ➔ 5

  6. High-Level Requirements for using Intel AMT Manufacturer decision AMT supporting Hardware profile AMT Module within ME BIOS setting Disabled Enabled AMT setup (local or OS or remote) Provisioned Unprovisioned OOB Admin Access 6

  7. AMT Provisioning Options Provisioning Method Provisioning Mode Local Agent on OS CCM * Remote ACM USB ACM Physically via BIOS MEBx menu ACM CCM = Client Control Mode => Limits AMT functionality ACM = Admin Control Mode => No limitations *Can be upgraded to ACM with additional steps 7

  8. AMT in the News INTEL-SA-00075 - escalation of privilege vulnerability ➔ Patch available for all affected versions ◆ PLATINUM group using Serial-Over-LAN (SOL) as a back-channel ➔ 8

  9. Open Source Tools http://www.meshcommander.com/ MeshCommander ➔ Useful for creating setup USB ◆ Allows using AMT capabilities such as KVM, SOL ◆ MeshCentral2 ➔ Allows managing a fleet of AMT machines ◆ Contains MeshCommander ◆ Contains admin server needed for CIRA ◆ Under active development ◆ 9

  10. Abusing the Ghost An attacker's dream? 10

  11. Attacker Goals To control AMT on sample laptop by provisioning it ❏ To maintain constant & persistent access ❏ To be stealthy ❏ 11

  12. After those Goals are achieved? Standard attacker Sophisticated attacker Equivalent to having Insert SMM backdoor into ➔ ➔ flash chip repeated physical access Live undetected ➔ Boot custom OS ➔ Access is uninterrupted on ➔ Hijack passwords through ➔ OS reinstall bootloader/kernel replacement Difficulty: Difficulty: Hard Easy to Hard Note : The attacks are not specific to AMT 12

  13. Provisioning attack vectors Option A Option B Option C Subvert supply Have root/admin on Local Physical chain machine already Access: Access: Access: Unfettered Unfettered Time-constrained Complexity: Complexity: Complexity: High High/Medium Low 13

  14. Attacker Goals ( Updated ) To control AMT on sample laptop* by provisioning it ❏ Via physical access ❏ In under 60 seconds ❏ To maintain constant & persistent access ❏ To be stealthy ❏ *Target Device: Lenovo X1 Carbon 2016 with AMT 11 14

  15. Attacker assumptions for target laptop 1) Machine has Intel AMT support and, 2) Intel AMT has not been provisioned already and, 3) MEBx password is default (usually the case) and, 4) Either: a) AMT is enabled (usually the case); or b) BIOS password is not set (usually the case). 15

  16. Ideal steps for an attack Physical Access ● Look for opportunity or create distraction ● Reboot with provisioning USB plugged in Provision AMT ● If USB fails then enter BIOS to enable AMT and retry ● AMT connects back to us via auto-dialed CIRA tunnel Profit 16

  17. 17

  18. USB provisioning findings Value scale Good ◆ MeshCommander used to create ‘setup.bin’ Easy-to-use GUI tool ◆ USB provisioning works painlessly ◆ Cannot set CIRA settings via USB Cannot setup CIRA ◆ Remote provisioning server can be set ◆ Provisioning server in turn can set up CIRA Bad 18

  19. Getting CIRA to work Option A Option B Set provisioning Manual Setup through LAN server via USB Cost: Cost: Increase Attack time Custom Infrastructure 19

  20. Attacker assumptions for target laptop ( Updated ) 1) Machine has Intel AMT support and, 2) Intel AMT has not been provisioned already and, 3) MEBx password is default (usually the case) and, 4) Either: a) AMT is enabled (usually the case); or b) BIOS password is not set (usually the case). 5) Machine has native LAN (directly or via special adapter) 20

  21. Attack Steps Preparation Execution Setup USB 1) Reboot & Plug in USB ➔ Using MeshCommander 2) Plug in LAN Cable + Adapter ◆ Setup C&C Server ➔ 3) Trigger script to setup CIRA Using MeshCentral2 ◆ Write AMT CIRA script ➔ Bring LAN Adapter + Cable ➔ Next : Check C&C Server 21

  22. Connected to AMT via CIRA tunnel initiated by the laptop CIRA Setup! 22

  23. CIRA is setup to tunnel out over WiFi 23

  24. Full KVM via CIRA tunnel Cannot do this over WiFi without OS agent or driver help 24

  25. WiFi as a limit ● WiFi profiles must be added into AMT Attacker ● Attacker needs to know local APs in advance Impact ● Needs to know credentials(s) for AP(s) Limited ● Boot injection attack becomes more involved (must not load WiFi driver in custom OS) Note : Over time, Intel may bridge feature-gap between WiFi and LAN to bring parity 25

  26. How to Detect, Mitigate and Prevent? 26

  27. Detection Network based OS Agent based Look for Intel AMT’s well Query the ME Interface (MEI) ➔ ➔ known network ports for AMT status Traffic can be in the clear Tool exists for Windows ➔ ➔ But CIRA can use Mutual TLS Custom tool deployment ➔ ➔ required for Linux Detection Likelihood: Possible Detection Likelihood: Most likely (if tool deployed prior to OS compromise) 27

  28. User Detection Always a possibility of detection by user Custom OS boot can be seen ➔ Windows tray app ‘IMSS’ will show pop up (app sometimes default installed) ➔ KVM will display animated sprite on screen ➔ 28

  29. Mitigation Ideal Existing Verified boot chain LAN usage on laptop is rare ➔ ➔ Bind HDD encryption against Enterprises with proxy-only ➔ ➔ “correct” TPM PCR values access Remote attestation CIRA will not work ➔ ◆ KVM usage will display sprite ➔ Status: Status: Windows: Achievable Done Others: Good luck! 29

  30. Prevention Options Remove Control Disable Buy machines Fully Provision AMT Disable AMT (in without AMT yourself factory or BIOS) and Set BIOS password Difficulty: Difficulty: Difficulty: Medium High/Medium High/Medium Note: Difficulty described is for an enterprise with large fleet of machines 30

  31. If you are an incident responder... 31

  32. What if? AMT forensics? ● Someone takes over AMT on your machine ● You somehow detect it 32

  33. When your fears come true Provisioned AMT detected on a Linux lab desktop Admin password unknown ➔ Owner: “I have absolutely no idea who installed ➔ AMT or why.” Time to investigate! 33

  34. First up: Due Diligence Check network logs ➔ Verify BIOS integrity ➔ 34

  35. Ask Intel for help Q: How to do forensics when we don’t know AMT admin password? A: Pointed to an existing AMT status report tool. Windows only. Nothing for Linux 35

  36. Ideal vs Reality Want Got Linux tool Windows tool ➔ ➔ Full AMT Audit Log AMT provisioning record ➔ ➔ 36

  37. Learning from Windows Tool - $$osAdmin Peered into Windows Tool Calling GetLocalSystemAccount using the ME Interface (MEI) ➔ Using AMT built-in user $$osAdmin to retrieve information ➔ Replicated idea to Linux* using IOCTL Found that $$osAdmin cannot be used over network ➔ *Code is being open sourced! Repository link at the end. 37

  38. Need this* Source: Page 45, Chapter 2, Platform Embedded Security Technology Revealed by Xiaoyu Ruan *Linux LMS = https://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers 38

  39. Retrieving AMT Audit Log Building LMS on Linux required minor fixes* Full AMT Audit Log dumped using $$osAdmin creds and LMS* WSMAN API calls used to retrieve the log entries ➔ Each log entry was base64 encoded ➔ Decoded string seemed mostly garbage ➔ *Repository contains LMS patch + code to dump log along with a README file 39

  40. Decoding the logs... Intel AMT SDK reference code to the rescue Findings: AMT setup on 2015-01-23 ➔ But machine received on 2016-09-27 ➔ Factory fault or interception? ➔ IPs from AMT audit log match network logs Close the investigation? *Repository contains the decoding code 40

  41. Where has this machine been? Ask vendor for machine history 26 emails and 2 weeks later… 41

  42. Recently learnt information MicroLMS as an alternative to LMS ➔ ◆ Comes with Linux mesh agent from meshcommander.com Source & Windows stand-alone binary available ◆ MeshCommander has “Save All State” option ➔ Makes every AMT WSMAN API call and saves it as a JSON ◆ Intel: "Based on customer feedback, Intel is evaluating improvements in support for Linux AMT Tools, and enhancements to AMT Auditing to facilitate access to the AMT Audit Log and expose additional audit information.” 42

  43. Recovery? 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

1 The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM with implants 4 ECG reconstruction & classification 5 Robotic limbs 6 PANDAS 7 Ghost in the Shell 8 Ghost in the Machine 9

419 views • 17 slides
1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Machine-Level Programming I: Basics Assembly Basics: Registers, operands, move Arithmetic & logical operations CSci

320 views • 8 slides
Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for their own enjoyment. The story of the ghost then became more prominent as I developed my storyboards. The ghost was looking for a place to haunt

336 views • 10 slides
A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN & MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line Manager Outline of Topics What is a ghost peak? How to identify ghost peaks and their source How to correct various sources of

561 views • 43 slides
Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH Outline MDHHS HCV Surveillance Basics of HCV GHOST Example of GHOST in Action Implications for Public Health Surveillance MDHHS HCV

455 views • 34 slides
Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R. Drury State of the Watershed Report Formal process by Alberta Government Followed Handbook for State of the Watershed Reporting Used

470 views • 44 slides
Computaci i Sistemes Intel ligents Part III: Machine Learning Marta Arias Dept. CS, UPC

Computaci i Sistemes Intel ligents Part III: Machine Learning Marta Arias Dept. CS, UPC

Computaci i Sistemes Intel ligents Part III: Machine Learning Marta Arias Dept. CS, UPC Fall 2018 Website Please go to http://www.cs.upc.edu/~csi for all courses material, schedule, lab work, etc. Announcements through

541 views • 38 slides
Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan Tap n Ghost An attack against smartphones

508 views • 30 slides
V8 engine of Node.js on IA: JavaScript-JITTED x86 machine code mapping profiling support and X87

V8 engine of Node.js on IA: JavaScript-JITTED x86 machine code mapping profiling support and X87

V8 engine of Node.js on IA: JavaScript-JITTED x86 machine code mapping profiling support and X87 Quark processor enabling chunyang.dai@intel.com, Intel Company Agenda JavaScript-JITTED x86 machine code mapping profiling support in VTune

159 views • 15 slides
Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel Intel had a 99.2 percent market share in server chips (IDC, 2015 Quoted on InfoWorld) We started experimenting with SoCs two

838 views • 47 slides
Ghost effect by curvature Providence, November 2011 M&MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&MOCS MATHEMATICS AND MECHANICS OF COMPLEX SYSTEMS Universit` a dellAquila - Italy Ghost effect by curvature p. 1/39 Joint project with : L. Arkeryd R. Marra A. Nouri

749 views • 39 slides
Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, Sooel Son School of Computing, Graduate School of Information Security 1 Limitations of Web

1.03k views • 57 slides
A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03

A Machine-Checked Theory of Floating Point Arithmetic 1 A Machine-Checked Theory of Floating Point Arithmetic John Harrison Intel Corporation, EY2-03 Introduction to IA-64 and HOL Light Floating point formats Ulps Rounding

254 views • 13 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
July 19, 2020 You will need communion elements for todays gathering. Please join with audio to

July 19, 2020 You will need communion elements for todays gathering. Please join with audio to

July 19, 2020 You will need communion elements for todays gathering. Please join with audio to participate in greeting time. Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be,

548 views • 40 slides
Changing the Tools for Home Intergenerational Visitors Pathway of Trauma Barbara Jessing,

Changing the Tools for Home Intergenerational Visitors Pathway of Trauma Barbara Jessing,

Changing the Tools for Home Intergenerational Visitors Pathway of Trauma Barbara Jessing, MS, LIMHP, LMFT Fontenelle House Consultation and Training Barbara Jessing bejessing@cox.net 402-981-6727 www.fontenellehouse.com Welcome

555 views • 53 slides
Then they cried out to the L ORD in their trouble, and He brought them out of their distress.

Then they cried out to the L ORD in their trouble, and He brought them out of their distress.

Then they cried out to the L ORD in their trouble, and He brought them out of their distress. He stilled the storm to a whisper; the waves of the sea were hushed. They were glad when it grew calm, and He guided them to their desired haven.

339 views • 17 slides
Ne New Peace Be With You John 20:19-22 1) What does the story say about Jesus? Peace

Ne New Peace Be With You John 20:19-22 1) What does the story say about Jesus? Peace

Ne New Peace Be With You John 20:19-22 1) What does the story say about Jesus? Peace Be With You John 20:19-22 1) What does the story say about Jesus? Nothing can keep Jesus from His people. v.19 Peace Be With You

459 views • 42 slides
Understanding Audiences and Visitors Witte Museum July 15, 2019 San Antonio, Texas Welcome

Understanding Audiences and Visitors Witte Museum July 15, 2019 San Antonio, Texas Welcome

Understanding Audiences and Visitors Witte Museum July 15, 2019 San Antonio, Texas Welcome Introductions A few words from our hosts Why We Are Here What is an audience? Who are visitors? Who comes to your institution? Who

1.2k views • 92 slides
Use of Technology to Stalk In Person Training Webinars Online Resources Individual &

Use of Technology to Stalk In Person Training Webinars Online Resources Individual &

Stalking 2.0 The Use of Technology to Stalk September 10, 2018 at 2-3:30pm CDT Jennifer Landhuis, Stalking Prevention, Awareness, and Resource Center (SPARC) This project was supported by Grant No. 2015-TA-AX-K027 awarded by the Office on

738 views • 22 slides
th 2020 September 20 th 2020 We will begin shortly For r a better r vir irtual worship

th 2020 September 20 th 2020 We will begin shortly For r a better r vir irtual worship

Bethlehem Lutheran Church th 2020 September 20 th 2020 We will begin shortly For r a better r vir irtual worship Turn UP your volume to hear Optional: Turn ON your video camera & ENABLE video with Zoom USE your BLC

626 views • 20 slides
N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind men called to Jesus using the Messianic title Son of David . Matthew implied that these blind men saw more than the Pharisees and other national leaders

639 views • 27 slides

More recommend