Intel AMT Security Issue

Yet another nightmare for Intel users. This time it’s specific to the corporate world. Yes, you heard it right, this time hackers just need to find an IT employee carry his / her office laptop, distract that person for a minute and the attack can be launched in less than a minute. Is it really that simple? Game On !!

Intel is still trying to cope up with its last publicly announced security vulnerabilities Meltdown and Spectre and here we are yet again with another blunder. In July 2017 Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered unsafe and misleading default behaviour within Intel’s Active Management Technology (AMT).

AMT is Intel’s proprietary solution for remote access monitoring and maintenance of corporate-grade personal computers, allowing the corporate technical support team or managed service providers to remotely support IT employees via screen share functionality. AMT security issues exist even the past, however this one is more surprising due to its potential impact.

Issue

The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS passwordTPM PinBitlocker and login credentials are in place.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen says.

Exploit

  1. A local attacker gains physical access to an corporate machine (desktop / laptop)
  2. Reboot or power-on the machine and then press Ctrl + P
  3. This displays the Intel Management Engine BIOS Extension (MEBx) login screen
  4. The default password for MEBx is “admin” which maybe common on most corporate machines. Other passwords that is usually set by IT administrators include: “admin@123”, “password”, “<company name>@123
  5. Once the attacker logins successfully, s/he can change the default password and enable remote access, and set AMT’s user opt-in to “NONE”
  6. The machine is now compromised!!

Once the attacker can gain access to the same network segment as the victim (with a few additional steps to enable wireless access), the system will be accessible remotely. A video grab from F-Secure’s security consultant is here:

Recommendations

  • F-Secure along with CERT has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.
  • It’s now the onus of the corporate employees to safeguard their respective corporate laptops while they are in any public places such as airport, bus terminals, hotels, cafe and more.
  • IT administrators must set a strong password for AMT or even disable AMT completely if that functionality is not required, before handing over the systems to the employees
  • IT administrators must reset the AMT passwords with strong unique passwords for all its current systems with immediate effect
  • Most importantly: if the AMT password has been set to an unknown value on a user’s laptop, consider the device suspect and initiate incident response. First rule of cyber security? Never take unnecessary risks.
  • Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT.
  • Last but not the least, follow Intel’s own recommendationsfor using AMT in a secure manner follow similar logic

References

Leave a Reply