65

I was reading this question on Stack Exchange Workplace community and it indicates that an IT team was able to prevent a user from turning their laptop on (power on).

My laptop access has been shut off (IT somehow remotely shut it down, it won't power on), company cell doesn't work, can't access e-mail via webmail.

I know that an IT system administrator can prevent a user from logging in. But, is this possible?
If it is, what are technologies that can be used to do something like this?

Linked question: https://workplace.stackexchange.com/q/166838/86347

Peter Mortensen
  • 877
  • 5
  • 10
DxTx
  • 1,403
  • 2
  • 9
  • 20
  • Someone (@TymoteuszPaul) commented on the original post - "You can lock corporate devices if the company cares enough. For mobile devices like phones you can do it on software level where you have remote to lock it (so they won't even start), and for laptops you would usually have to install a chip (or buy laptop with one). This is normally installed in case of theft, but works as well at locking out an employee, which seems to be the case here." – DxTx Nov 16 '20 at 07:30
  • 10
    Give it a cold shower. – Bob Jarvis - Слава Україні Nov 16 '20 at 23:44
  • 1
    @BobJarvis-ReinstateMonica I was about to flag your comment for removal, as I thought it pertained to other comments that have since been deleted. But I tend not to flag unless I'm quite sure as to what is going on. Then, after an embarrassingly long delay, I finally got it. Thank you for the smile. :) – RockPaperLz- Mask it or Casket Nov 19 '20 at 04:49

2 Answers2

81

Out-of-band management

Intel Management Engine and amd DASH are separate microprocessors that remotely manage enterprise PCs. They run with Ring -3 privilege on the machine and run outside of host OS.

It can lock stolen devices, remotely erase data, track location, wake on LAN and wake on wireless LAN, control host OS and detect third party live USB boots.

It is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. [1]

As it requires a power source, in enterprise Desktops, keeping the switch on is enough for motherboard to draw power as shutting down the host OS does not shut down the AC power supply to the power supply unit of the motherboard.

There is no way to disable it from UEFI. Removing the microprocessor or modifying its firmware which is stored in UEFI will prevent system to boot. Disabling secure boot or using custom UEFI keys will not disable its firmware verification.

This is how Intel verifies it, amd's implementation could be different:

The ME firmware is verified by a secret boot ROM embedded in the chipset that first checks that the SHA256 checksum of the public key matches the one from the factory, and then verifies the RSA signature of the firmware payload by recalculating it and comparing to the stored signature. This means that there is no obvious way to bypass the signature checking, since the checking is done by code stored in a ROM buried in silicon, even though we have the public key and signature. [1]

Once stolen devices are locked, they don't respond to power button signal. In old motherboards with BIOS, they used to respond but immediately shut themselves down.

Consumer PCs also have Intel Management Engine microprocessor and Intel Management Engine Interface driver pre-installed in Windows but Intel Active Management Technology software is not installed by OEMs in consumer PCs.

Can it be reversed, or will this brick the device?

If the device is locked by the remote administrator, it can unlock it using wake on LAN and a specific unlock instruction to the chip. This is how my organisation used to handle enterprise laptops with sensitive data. The chip is bounded with its firmware in UEFI, hardcoded with chipmaker's public key and is probably hardwired to the motherboard in order to brick the device if chip is removed. Intel is secretive about its implementation.

That didn't stop researchers to partially disable it from its firmware:

Disable Intel’s Backdoor On Modern Hardware (2020)

Researchers discovered an undocumented configuration setting that can used to disable the Intel ME master controller that has been likened to a backdoor. (2017)

Out-of-band management

[1] Intel x86s hide another CPU that can take over your machine (you can't audit it)

defalt
  • 6,231
  • 2
  • 22
  • 37
  • 7
    Can it be reversed, or will this brick the device? – marcellothearcane Nov 16 '20 at 16:28
  • @marcellothearcane: It can be jumpered on but the CPU probably won't work. I'd be guessing at exactly which piece of silicon needs to be wiped to restore it to operation. – Joshua Nov 16 '20 at 17:16
  • Is disabling a PC issued to somebody who is still a legitimate member of staff actually legal (in the USA)? Surely if there's restrictions on clandestine keyloggers etc., and particularly if there's no absolute prohibition on using it for non-company business (accessing personal bank accounts etc.) than locking the designated user out without warning is unreasonable? – Mark Morgan Lloyd Nov 16 '20 at 19:11
  • 5
    @Mark Morgan Lloyd I'm not sure about its legal side. The ownership and subject of use of enterprise PCs are bounded with employee's agreement. Intel AMT is unavailable for consumer PCs (not available in UEFI settings). – defalt Nov 16 '20 at 19:30
  • 1
    @defalt Note that the IME chip is still there, so in theory you could still activate similar functionality. (It's probably fairly difficult, or I'd expect the malware to already have been released… but then again, that kind of access would let you exfiltrate arbitrary data from RAM without anyone noticing, so would the people to discover it _really_ use it for “lolz”?) – wizzwizz4 Nov 16 '20 at 19:50
  • 2
    @MarkMorganLloyd legal - very likely, company owns and controls the hardware. Now whether it is reasonable is something entirely different, and rarely related to whether it's legal or not ;). Also a great answer! – Tymoteusz Paul Nov 16 '20 at 19:58
  • @MarkMorganLloyd: I don’t see why it would be illegal, the device remains the property of the company, it’s no different than saying you can’t come into the office. There is a huge difference between this and a key logger, as it not used to gain access to potentially private information. The user may be denied access to something, but it’s not the owner’s responsibility to provide them with such access. For instance, if this is their only computing device, they would have limited or no access to online resources, but what would obligate the company to provide such access? – jmoreno Nov 17 '20 at 03:53
  • Doesn't intel call it secure execution engine now, believe M.E. is out dated, to be fair, seem like calling tls, ssl. Everyone does it, I'm just wondering what they call it these days. – marshal craft Nov 17 '20 at 20:28
  • Wouldn't it still be possible to take out and read the hard drive in a different machine? Or do they also store the hard drive encryption keys in that chip? – JonathanReez Nov 18 '20 at 04:56
  • 1
    @marshal craft Intel's secure enclave (Intel Software Guard Extensions) which is a TPM is different from Intel ME. Both are present in Intel motherboards. @JonathanReez Storage drive is always encrypted in enterprise PCs and cryptographic keys are stored by TPM. IME is like another user but with the highest privilege (`Ring` **-3**) on device. – defalt Nov 18 '20 at 05:29
  • @defalt, thank u for the detailed and informative answer. – DxTx Nov 19 '20 at 12:37
  • There is indeed a risk in locking a computer from powering. In a smart working environment where employees bring their work laptops home and will connect to a VPN it is nearly impossible to send a *magic LAN packet* to restore the laptop's functionality. You would have to either boot with a key loaded in a thumb drive or bring it to office facilities – usr-local-ΕΨΗΕΛΩΝ Nov 20 '20 at 14:42
13

defalt's answer is very good but additionally, keep in mind three things:

  1. Users are unreliable narrators and their definition of "it won't power on" is quite broad and may include the device starting but not being able to log on.

  2. MDM (Mobile Device Management) applies to laptops as well as mobile devices and tablets these days and most MDM systems have some way of making fully integrated "corporately owned" devices inoperative.

  3. Even without all that, even without OOB management, most sysadmins can push a script to run rm /* -rf or its Windows equivalent.

Rob Moir
  • 399
  • 1
  • 10
  • 2
    Would it even need to 'rm -rf', wouldn't it be sufficient to just throw away the crypto key? – Harper - Reinstate Monica Nov 18 '20 at 22:02
  • @Rob, thank you for the answer. What does the command `rm /* -rf` do? – DxTx Nov 19 '20 at 12:39
  • 2
    @DxTx - probably got the syntax slightly wrong but it's a well known Unix trope that commands like that will wipe your whole drive system clean when run as admin. Not so sure its true these days but you hopefully now see the point I was aiming for. – Rob Moir Nov 19 '20 at 12:41