Toshiba security advice: Intel AMTrisk

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Just purchased a laptop, Tecra M9-196, not yet connected it to a
network or the internet.  Just completing the basic setting-up, but
unable to finish securing the Intel Active Management Technology (AMT)
functions.  In the box, Toshiba inserted a supplementary security
advice note explaining that if the machine is to be used outside a
corporate network, the AMT functions should be disabled in the BIOS.
But the BIOS on the machine does not allow any adjustment or disabling
of the AMT functions.  Toshiba advise that "If the AMT functions are
not turned OFF there is a danger that the AMT management functions may
be abused by other parties which could lead to leak of sensitive
and/or proprietary information, data loss, HDD erasure or overwriting

Before worrying too much, I've tried to check what the AMT functions
do.  They do seem to have potential for leaks and, if I have
understood correctly, can leak while the machine 'appears' to be off
since some of the functions remain active at the firmware level (this,
specifically, to assist network administrators dealing with computers
with some start-up problems).  The AMT system is a kind of
audit/status/manipulation system running on the laptop - presumably a
mixture of firmware and routines within Vista - which provides data
and control functions on an HTTP server within the machine.  This
internal server uses these TCP ports: 9971, 16992, 16993, 16995.
( noted from: )

Some AMT facilities are described here /

These capabilities are quite powerful and represent a serious
potential threat vector.  The "NetworkAdministrationInterface" could
be used to redirect DNS queries to a poisoned server then, say,
assisting the interception of bank transactions (many people being
used to a browser saying the certificate is invalid).  The
"WirelessConfigurationInterface" could capture WiFi encryption keys,
and the "StorageInterface" facility make these available, even when
the machine is 'off'.  As the note says, 'Problem solved!'

The reference describes the AMT network usage:

"In order to communicate with the interfaces, programs need to
exchange data with one of these two URLs--

- http://hostname:16992/ServiceName if Intel® AMT is using
Small-Medium Business provisioning mode; or

- https://hostname:16993/ServiceName if the Enterprise provisioning
mode is being employed."

While blocking malicious exploitation of these facilities at a
corporate network firewall could be straightforward (if the AMT ports
are known, eg are only those listed above), it is much less easy to
prevent access to a stand-alone machine connected on a network over
which the user has no control.  But such situations are common - this
is exactly what happens at WiFi hotspots, Airline lounges, Hotels,
Public libraries, Wimax and 3G networks, dialup or DSL internet
service, and, increasingly for business visitors, connecting onto a
counterparty's network during meetings etc.  And firewall software on
the machine, even if permitted to override whatever Vista wants to do,
will not be able to block the AMT transactions while the machine is
'off' -- the firewall will not be running.  And, given that particular
capability, it is unclear what AMT requests are potentially
immediately intercepted by the firmware before Vista even sees them.

Since (despite Toshiba's note) I cannot disable the AMT functions, I'd
like to check whether they are 'live' on the machine.  I can put the
machine on a home network, and completely block its address using a
separate firewall/gateway.  Can anyone suggest how I can check whether
the AMT ports are active?  I have a Linux machine on the home network,
is there a network tool that will report what ports are open on the
laptop?  (Something similar to the Gibson port tester, but I don't
want to connect the machine to the internet, yet.)

Many thanks for reading this far.  It is a long note; I put the
background in, and my thoughts about the risks, because nothing seemed
to come up on web or newsgroup searches about this.  Incidentally, the
problem may not be limited to Toshiba; Lenovo seem to have disabled
the AMT control, as well:

rgds Bernie

Site Timeline