Tuesday, 21 May 2019
Latest news
Main » Weak Intel AMT security lets hackers hijack corporate comps - research

Weak Intel AMT security lets hackers hijack corporate comps - research

13 January 2018

Following on the heels of the revelations of the Meltdown and Spectre vulnerabilities plaguing decades of Intel's processors, a new flaw in the Active Management Technology (AMT) has left Intel in even more hot water among the cybersecurity community.

According to F-Secure, this issue affects most corporate laptops and PCs running Intel AMT.

"The attack is nearly deceptively simple to enact, but it has incredible destructive potential, "Harry Sintonen, a senior security consultant at F-Secure, says in a news release".

"In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures", he added.

Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets.

They can then change the password, enable remote access and set the user's opt-in to "None".

Attackers don't need access to credentials to do this and, because the flaw is in AMT, millions of laptop users could be at risk around the world.

The setup is simple: an attacker starts by rebooting the target's machine, after which they enter the boot menu.

This would allow any attacker to log into Intel Management Engine BIOS Extension (MEBx) using the default password "admin", as this default is probably unchanged on most corporate laptops. In most cases, the individual machines must be physically accessed and have the AMT default password changed or have the suite disabled altogether.

"Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT", said F-Secure.

Although the initial attack requires physical access to the device, Sintonen explained that the speed with which it can be done makes it relatively exploitable in a so-called "evil maid" scenario.

"If you leave your laptop in your hotel room while you go out for a drink, an attacker can break into your room and configure your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel", he said.

Intel AMT is the software that sits on top of the Intel Management Engine (ME) and is supposed to allow IT administrators to gain out-of-band remote access to computers in a network.

F-Secure's Sintonen, however, wasn't the only security researcher to unearth the problem.

Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into nearly any corporate laptop in a matter of 30 seconds or so, according to security firm F-Secure.

However, F-Secure believes that the "pure simplicity of exploiting this particular issue sets it apart from previous instances".

This issue has largely been under the radar of most enterprises because it has no CVE number, security update or new version available, but it affects major suppliers and a large number of laptops.

The issue allows a local intruder to backdoor nearly any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place. Normally, on any system for which a BIOS password has been set, users can not continue to boot the system until they have entered the BIOS password.

Intel AMT is commonly found on computers using Intel vPro-enabled processors as well as platforms based on some Intel Xeon processors.

Weak Intel AMT security lets hackers hijack corporate comps - research