For this NTP check to happen, you must be using a computer with Intel MEBX and an Intel AMT-enabled network adapter, and the network adapter must be configured with network information to use. You have to do this manually initially, although of course later you can configure AMT using AMT.
This isn't something your consumer computer is doing automatically, in fact, your computer is almost certainly not capable because it lacks an AMT-capable NIC. I suspect the software capability is baked into ME itself rather than the AMT component so it's probably present in your ME, but it's not doing anything without an AMT NIC to communicate with.
This is the kind of feature that you pay an extra $1k for when you configure your $20k server.
> This is the kind of feature that you pay an extra $1k for when you configure your $20k server.
We have ~$400 Sandy Bridge workstations at work that have separate AMT enabled NICs. You don't have to spend $1k for the feature; here's a vPro enabled board for $100:
Not specifically ME but yeah Baseboard Management Controllers and IPMI modules have been a thing for a long time. Most real server motherboards have them or have the facilities in place to accept them as an add-on module. It's not even just stuff in the $20k range; this $450 mini itx 8-core Atom-based storage server board has it: http://www.asrockrack.com/general/productdetail.asp?Model=C2... and it comes with a web-based IPMI console. You can turn the power on and watch it POST with a java web screen viewer, sending it keys as if you were sitting there.
Dell's add-in card to do out-of-band management is called the DRAC and it's been optional in their servers for about 17 years: https://en.m.wikipedia.org/wiki/Dell_DRAC
The example in the first link is especially depressing, because they found an integer overflow vulnerability in a code file that started with this warning comment:
/*
Caution: This module requires additional review when
modified.
This driver will have external input − capsule image.
This external input must be validated carefully
to avoid security issue like buffer overflow, integer
overflow. */
And of course, later someone came along and added an integer overflow.
ISBN 9781430265719: "To get the current date/time information, the EPID manager requests a real-time OCSP (Online Certificate Status Protocol) response from a trusted OCSP server, which was endorsed by Intel. The response contains the current date/time. The EPID manager saves the date/time (baseline) in a file in the kernel’s secure storage and calls the kernel’s Start timer function that starts the timer. Later, when the EPID manager is verifying the validity period of a certificate, it calls the Get current timer value function and calculates the current date/time by adding the kernel’s returned value to the baseline. The EPID manager requests a new real-time OCSP response every 30 days to calibrate its timer."
Tangental, but interesting in a The-Dystopian-Future-Is-Now! sense: "The endorsement key initially placed in security fuses may be revoked by the TPM2_ChangeEPS command introduced in TPM 2.0. In this case, the TPM must generate a new endorsement key pair, store it in nonvolatile memory, and remember not to use the one in the security fuses in the future. The TPM task uses a field programmable fuse for the purpose of saving the revocation status of the endorsement key in fuses."
The fuses are blown when the chip is manufactured to encode a _pre-calculated_ 2048-bit rsa key-pair, selected from a giant collection which intel generated en-mass to have some properties that allow the two 1024-bit primes to be encoded using only 272 bits each (if I'm reading it right):
"The TPM on the security and management engine features a preinstalled endorsement key (2048-bit RSA). The endorsement key is required to be unique per hardware part. Because of its uniqueness, the endorsement key cannot simply be hard-coded in the firmware, which is the same on all parts. Instead, hundreds of millions of endorsement keys are pregenerated. During Intel’s manufacturing process, different key materials are burned to the platform’s security fuses for all parts, respectively. Note that key materials are not the key value. [...] This algorithm is implemented by the key generation facility and not the TPM
firmware."
Heck, it would be big news even if this applied only to the x230. Or even if it only applied to some x230s. It means there's a somewhat modern x64 laptop on which the ME can be disabled.
As much as people are freaked out by the capabilities of ME, I really like the concept of AMT.
I built a headless compile-slave box recently, and was looking forward to using AMT features to manage it and keep it headless, but found out too late that the board I ordered didn't have AMT support. Now, whenever its fragile boot-stack of GRUB+iSCSI+Xen+LVM decides to wedge into single-user mode on a reboot, I have to power the box off and carry it over to a monitor to see what's wrong. I'd much rather just fix it from my laptop.
These kinds of features are standard for servers and nobody bats an eye ("out of band management"). You need them unless you want to attach a remote KVM to every single server. AMT is just that - out of band management. Intel's implementation is a lot more secure than, say, SuperMicro IPMI which had its fair share of issues.
You can disable SuperMicros IPMI though by pulling out the PCI card, though :-)
Why can't you attach a serial console? This will help with any problems that still let you get to grub (BIOS Setup likely doesn't support UI over serial, unless it's a server-like machine).
Once you have a serial console, you can either just plug the cable into your laptop (likely through USB-attached serial port) or set up a small second box (that just runs an ssh daemon and has something like picocom installed) and connect it to that. Then you'll have access over the network.
The capabilities of an out-of-band management system are much, much greater than the serial console offers. BIOS and UEFI configuration are an obvious case, but you also use out-of-band management to bail yourself out of situations where the OS is unresponsive or unbootable, and to take many other management actions that would normally require physical access.
Serial consoles don't help if the box is properly wedged, or has eaten its own bootloader. With a good out of band management system, you can install an OS remotely, with disks on the session driving it appearing as local disks to the machine. Or, you can power off a box as needed, power it on, reconfigure raid cards, etc. A remote serial console is very limited in comparison.
That's pretty crazy to think there's a sub-ring-0 rootkit running on your CPU contacting NTP servers without your knowledge.
Does that work over wifi (where does it get the WPA password from)?
Where does it get an IP address? Does it leech off the host's DHCP IP by intercepting ethernet packets?
Is there any way to fingerprint the traffic? TTLs, sequence numbers, etc?
It'd be interesting to run a system behind a router for a while while logging all ME traffic...