Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.
In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds – either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.
In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.
What is Intel AMT?
Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.
ABOUT THE SPEAKER:
Parth Shukla is a Security Engineer at Google in Switzerland. He works on efforts related to firmware/hardware security as part of the Enterprise Infrastructure Protection team. He worked for Google in Sydney, Australia for 3 years before moving to Zurich, Switzerland.
Prior to Google, Parth was an Information Security Analyst at the Australian Computer Emergency Response Team (AusCERT). While at AusCERT, Parth analysed the non-public data of the Carna Botnet that he obtained exclusively from the anonymous researcher of Internet Census 2012. Parth released a white paper on this analysis (bit.ly/carna-paper) and presented on it at various conferences, including: DeepSec 2013 in Vienna, Austria; Blackhat Sao Paulo 2013 in Sao Paulo, Brazil; APNIC 36 in Xi’an, China and AusCERT 2013 in Gold Coast, Australia.