Disable Intel AMT/ME ports

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi!
I am running LEDE 17.01.4 on my beloved TP-Link 1043nd v.1

I want to disable all AMT/ME ports because i use a Vpro platform for personal usage and never will be at the risk of being spy'd on me.
I am using a VPN provider(desktop app), but as far as I know AMT/ME bypasses that as some sort of low level network interface (https://www.scivision.co/intel-amt-vpro-kvm-port-forwarding-necessary/). So I need to block the ports on my router to be safe.

The ports I found so far:
9971 By default, Intel SCS (a component of the OOB site server) listens on port 9971. Intel AMT devices send their Hello packets to this port.

16992 IntelĀ® AMT HTTP

16993 IntelĀ® AMT HTTPS Used for WS-Management messages to and from Intel AMT when TLS is enabled. See Transport Layer Security.

16994 IntelĀ® AMT Redirection/TCP

16995 IntelĀ® AMT Redirection/TLS

623 ASF Remote Management and Control Protocol (ASF-RMCP)

664 DMTF out-of-band secure web services management protocol
ASF Secure Remote Management and Control Protocol (ASF-RMCP)

5900 VNC (Virtual Network Computing) - remote control program

Can someone create a set of firewall rules that drop all traffic on these ports? As well as local ports and WAN traffic. So we can stay all safe with the publication of various Intel ME/AMT vulnerabilities.

Thank you very much.

2

This WAN to LAN traffic is blocked by default.

If you want to block LAN to WAN, this rule is not specific to these ports, creating block rules can be found in the manual:https://openwrt.org/docs/guide-user/firewall/firewall_configuration

config redirect
	option src 'lan'
	option dst 'wan'
	# you didn't specify TCP or UDP, so I used both below
	option proto 'tcpudp'
	option src_port '<PORT_NUMBER>'
	option target 'DROP'

There are many wild vulnerabilities in the computing world, I'm not sure it's necessary to post block rules for every one. The manual specifies how to make firewall rules.

3

While blocking the ports on the OpenWRT router is not a bad idea, if this concerns you, remember that the VPN traffic is "opaque" to the router. This is really a desktop-hardening question as the VPN provides an "open pipe" to its remote portal.

I'd look to see if you can disable AMT/ME, especially if it bypasses the OS and interacts with the network directly. An internet search reveals several possible references on this, such as

https://software.intel.com/en-us/forums/intel-business-client-software-development/topic/563988

which links to

https://mattermedia.com/blog/disabling-intel-amt/

https://downloadcenter.intel.com/download/26755?v=t

Perhaps also of interest is

https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

Edit: See also

1 Like
4

Thanx for your advises. The only way to disable the ME chip is to flash a custom firmware using me_cleaner. But there is no guarantee your device will ever boot again, so i don't do that.

For now i prefer to block all ports used by AMT as stated above. I used the script as provided by lleachii as i am no IT professional and don't fully understand the manual. I still want to block the WAN>LAN ports for the peace of mind. Are the rules between the asterix right? Are there no spaces too much/left?
Verification by a specialist would be very helpful.

config redirect
	option src 'lan'
	option dst 'wan'
	option proto 'all'
	option src_port '9971, 16992:16995, 623, 664'
	option target 'DROP'
        option src 'wan'
        option dst 'lan'
        option proto 'all'
        option src_port '9971, 16992:16995, 623, 664'
        option target 'DROP'

Or should there be a space between the 2 rules?