cancel
Showing results for 
Search instead for 
Did you mean: 
bleubob
New member
3 2 0 0
Message 1 of 2
198
Flag Post

Was hacked via AMTactivate AMT Exploit?

HP Recommended
HP Zbook 15 G1/G2
Microsoft Windows 7 (64-bit)

 

I've never needed the vPro features, I just like business laptops, they're solid, versatile and more reliable overall I think.

 

To make a long story short, I noticed unusual activity on my laptop (no need to go into details) which fits right in line

with a Management Engine AMT exploit. I never bothered configuring the MEbX password when I obtained by laptop via

the Ctrl-P keypress on boot (I'm not even sure if a non-provisioned laptop is even supposed to acknowledge the key combo) but the AMTactivate exploit doesn't *need* the laptop to be provisioned at all to be vulnerable:

 

see :   www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjHgc6p7qXk...

 

The Zbook 15 G1/G2 is right on target for being exploitable.  I know the CVE which directly relates to this issue was supposed to be patched with sp87481.exe or sp87881.exe (Cant bring up the release notes so I don't know exactly which one it is) but there's obviously an updated variant about.

 

Since I never use vPro or the Management Engine's advanced features, I would like to disable as many of its modules as possible, ESPECIALLY! the network stack module!  I have been trying to use me_cleaner to effect this:

 

https://github.com/corna/me_cleaner/wiki

 

But unfortunately the fwupdate utility you supply will not flash a modified image of the Management Engine firmware for some reason.

 

HP NEEDS TO PROVIDE A TOOL THAT DOES WHAT ME_CLEANER DOES FOR ALL ITS MODELS, ESP IT'S BUSINESS CLASS LAPTOPS!

 

For those who still don't know, the ME is always on; if your laptop is connected to power either via battery or AC it is on and active and can be exploited, even if your laptop is powered off.  You don't even need a wifi card, just close proximity to be hacked (It has its own network stack).  Its completely transparent to your OS and other hardware so you won't know you're hacked.  Everything that you could do with a full AMT provisioned laptop someone can do with your hardware.

 

I haven't come here to state what most of the technically proficient here already know, but to ask the HP tech supports here if there is a way to gut the Management Engine modules to disable this hardware backdoor or for the possibility of HP themselves providing a tool that does this.  I know the ME is needed for some hardware funtions, but surely the network stack module isn't required.

 

Right now after weeks of looking for a solution my only option seems to be getting a SPI hardware flasher and manually

flashing my modified ME firmware myself, risking a bricked motherboard or downgrading to a Core I3 CPU (And I'm not even sure downgrading to an I3 fully mitigates all AMT vulnerabilities).

 

So tech, what can you help me do about this?

1 REPLY 1
soccer_dan
Level 8
Level 8
1,195 1,195 74 153
Message 2 of 2
Flag Post
HP Recommended

did you try disabling AMT in the BIOS? F10, Advanced\  Remote Management Options Menu\ Active Management Technology (AMT) - it is checked by default

I work for HP. However, all opinions and comments are my own.
0 Kudos
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation