cancel
Showing results for 
Search instead for 
Did you mean: 
RedRob71
Level 2
18 15 0 1
Message 1 of 11
2,582
Flag Post

AMT security on Intel vPro systems

HP Recommended
HP Compaq 8200 Elite SFF
Microsoft Windows 10 (64-bit)

Hi. I've just read a security bulletin relating to Intel AMT on vPro systems. Intel instructions regarding mitigation for this threat are sketchy to say the least. If I have disabled AMT in the system bios on my machines will this mitigate against possible future attack or could this make me susceptible to more? Also, if anyone from HP reads this forum when will a firmware patch be made available? I realise my machines are not recognised as Win 10 devices but they work fine with this operating system. If anyone can shed any light on this subject I would be happy to read. If my machines are attacked from outside given that the chances are now greatly increased due to notifications on multiple websites who is responsible for any losses incurred? Are my desktop pcs even susceptible? idk. Many regards.

10 REPLIES 10
Skylarking
Level 6
382 369 22 66
Message 2 of 11
Flag Post
HP Recommended

This is an issue only if a CPU has VPro feature along with a mobo chipset that also supports vPro. If your CPU doesn't have thios feature, your OK.

 

On such systems that support AMT, until manufacturer fixes their BIO's, it is recommended to disable AMT within BIOS itself and also to disable LMS and associated services within windows (if using that OS). Read more here especially the links and references within. 

 

Of particular interest within the above thread is a link to Lenovos responce with this page indicating when BIOS fix will be made available.

 

Has anybody seen a similar page for HP or Dell systems, i haven't ?

RedRob71
Author
Level 2
18 15 0 1
Message 3 of 11
Flag Post
HP Recommended

Thank you for these links. As you say a HP specific page would solve much of the confusion.

0 Kudos
RedRob71
Author
Level 2
18 15 0 1
Message 4 of 11
Flag Post
HP Recommended

Sorry - but this doesn't look good - http://www8.hp.com/us/en/intelmanageabilityissue.html

0 Kudos
RedRob71
Author
Level 2
18 15 0 1
Message 5 of 11
Flag Post
HP Recommended

Windows 10 and Windows 7 users who are  unsure as to whether they are affected may find the intel detection guide useful - (contained in zip file) https://downloadcenter.intel.com/download/26755 - although this did not give me a conclusive result - poor showing

0 Kudos
Skylarking
Level 6
382 369 22 66
Message 6 of 11
Flag Post
HP Recommended

To hear HP via AMT has left the gates open to my z210 workstation since 2010 just adds to the view that nobody cares about my security and privacy.

 

Meanwhile, Intels AMT detection tool didn't yield useful results since i disabled AMT and it's windows services.

 

But it's good to see HP came to the party and documented their responce as to how and in what time frame they will fix this AMT security failure. So hopefully my z210 Workstation will see the updated ME firmware released on time by 12th May 2017.

 

What's of bigger concern is how the OEM industry simply took a module provided by their supplier (Intel) and did not perform any due diligence testing on this firmware module to ensure the final product they were selling was secure and thus fit for purpose. So it's either a massive failure across the many OEM's, which seems just a little too difficult to fathom, or something else a little more on the 'tin foil hat' side of the equation that is at play. 

 

In any case, for me trust was broken some time ago when socketted BIOS chips were removed from motherboards while UEFI with secure boot tried to lock me out of my own property.

 

Good luck to those that think "Windows 10 S" is a good idea...

 

[edited to add following]

Though it's good to see HP's AMT security bulletin, i'd have thought this document should be shown when clicking "Advisories" or "Bulletins and Notices" within the z210 Support page. Yet it's not

RedRob71
Author
Level 2
18 15 0 1
Message 7 of 11
Flag Post
HP Recommended

Yes, I agree it is good that HP have responded to this. I have been more than happy with their service over the years - hopefully they will resolve this issue quickly. I suspect my machines are not affected - but suspecting is not knowing! Some of these machines will also be being used by the public after business desktop upgrades and sales via third parties. I suspect these users also do not know.

0 Kudos
Tyth
Level 1
4 3 1 1
Message 8 of 11
Flag Post
HP Recommended

Some Models in the list show softpaq# sp80103. But there is no such sp80103 in the above softpaq ftp download links.

does that mean there is no fix for those or is this a mistake?

0 Kudos
SDH
Level 10
2,271 2,225 211 654
Message 9 of 11
Flag Post
HP Recommended

The "target available date" for that is 5/13/17, from the document you're looking at.  Today is 5/9.

Tyth
Level 1
4 3 1 1
Message 10 of 11
Flag Post
HP Recommended

thanks, my bad. i didnt look at the target date column.

Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation