Intel AMT

Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers. Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed.

A Ring -3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections.[38] The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The “-3” designation was chosen because the ME coprocessor works even when the system is in the S3 state, thus it was considered a layer below the System Management Mode rootkits.) For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB (small business) provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the “zero touch” provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from Go Daddy a certificate that is accepted by the ME firmware and allows remote “zero touch” provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers. Source: Wikipedia