Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Alfred Osborne
January 13, 2018

The changes can be made in under a minute, according to F-Secure.

Harry Sintonen, the F-Secure security consultant who investigated the issue, said that the security gap was "almost deceptively simple to exploit" and noted that it could have "incredible destructive potential". But the amount of time required to execute the attack is so short that even a notebook or desktop computer left unattended for a few minutes could be compromised in what is referred to by security researchers as an "evil maid" attack-or in this case, an evil barista, co-worker, fellow airline or train passenger, or anyone else with a few minutes of unhindered access to the computer.

Last month, Intel issued a 4-page PDF, Security Best Practices of Intel Active Management Technology Q&A, that addresses the MEBx default password problem, amongst other security risks.

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension.

"This allows an attacker access to configure AMT and makes remote exploitation possible", said Sintonen.

However, on AMT machines, the attacker can select Intel's Management Engine BIOS Extension (MEBx) and log in using the default password "admin".

"Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT", said F-Secure. Access to the device may also be possible from outside the local network via an attacker-operated CIRA (client-initiated remote access) server.

Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.

$1.84 EPS Expected for Honeywell International Inc. (HON)
Harvey Capital Management Inc decreased Honeywell Intl Inc ( HON ) stake by 25.95% reported in 2017Q3 SEC filing. (NYSE: HON ). Shares buyback programs are generally an indication that the company's management believes its stock is undervalued.

Carrie Underwood and Ludacris score a touchdown with Super Bowl song
He says, "It was a pleasure to collaborate with Carrie for this inspirational song". The song will also be accompanied by a video during the opening on Feburary 4.

Meghan Markle's sis Samantha asks forgiveness for comments
No one was estranged, she was just too busy'. "The last time we spoke-when I heard her voice-was 2014, nearly 2015". Her posts were often personal and even political at times. 'Her last words were, "I love you, babe".

AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen's discovery surprised even him.

F-Secure, the security software and services company that claims to have uncovered the flaws, attribute it to a string of insecure default settings found in Intel AMT.

However, F-Secure believes that the "pure simplicity of exploiting this particular issue sets it apart from previous instances". They warned that millions of laptops may now be vulnerable to exploitation.

Details of the vulnerability - which can lead to a clean device being compromised in under a minute and can bypass the BIOS password, TPM Pin, Bitlocker and login credentials - have been outlined by researchers at F-Secure. If the system's manufacturer has followed Intel's recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated.

Intel AMT is commonly found on computers using Intel vPro-enabled processors as well as platforms based on some Intel Xeon processors. If the password is already set to an unknown value, consider the device suspect.

Install firmware updates correcting the issue on all affected devices as soon as they become available.

Although solid operations security is the first step (don't ever leave your laptop unwatched in an insecure location!), there are some basic safeguards all IT departments should implement.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER