Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Alfred Osborne
January 13, 2018

The changes can be made in under a minute, according to F-Secure.

Harry Sintonen, the F-Secure security consultant who investigated the issue, said that the security gap was "almost deceptively simple to exploit" and noted that it could have "incredible destructive potential". But the amount of time required to execute the attack is so short that even a notebook or desktop computer left unattended for a few minutes could be compromised in what is referred to by security researchers as an "evil maid" attack-or in this case, an evil barista, co-worker, fellow airline or train passenger, or anyone else with a few minutes of unhindered access to the computer.

Last month, Intel issued a 4-page PDF, Security Best Practices of Intel Active Management Technology Q&A, that addresses the MEBx default password problem, amongst other security risks.

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension.

"This allows an attacker access to configure AMT and makes remote exploitation possible", said Sintonen.

However, on AMT machines, the attacker can select Intel's Management Engine BIOS Extension (MEBx) and log in using the default password "admin".

"Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT", said F-Secure. Access to the device may also be possible from outside the local network via an attacker-operated CIRA (client-initiated remote access) server.

Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.

Rep. Schiff blasts Republicans for limiting Russian Federation investigation in US House
Steele drew upon a range of sources, including figures linked to Russian intelligence, to compile the dossier past year . There was no collusion, everybody including the Dems knows there was no collusion, & yet on and on it goes.

Netflix, Inc. (NASDAQ:NFLX) Growth Story in Full Force
Bank Of The West decreased its stake in Foot Locker Inc (FL) by 30.46% based on its latest 2017Q3 regulatory filing with the SEC. The returns on assets were 11.30% that gives an idea about how efficient management is at using its assets to generate earnings.

Analysts Are Gushing Over Chevron Corporation (CVX), Geron Corporation (GERN)
Newfocus Fincl Group Inc Incorporated Ltd Liability Company has 0.13% invested in Chevron Corporation (NYSE:CVX) for 1,738 shares. The stock of Chevron Corporation (NYSE:CVX) has "Underperform" rating given on Thursday, July 6 by RBC Capital Markets.

AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen's discovery surprised even him.

F-Secure, the security software and services company that claims to have uncovered the flaws, attribute it to a string of insecure default settings found in Intel AMT.

However, F-Secure believes that the "pure simplicity of exploiting this particular issue sets it apart from previous instances". They warned that millions of laptops may now be vulnerable to exploitation.

Details of the vulnerability - which can lead to a clean device being compromised in under a minute and can bypass the BIOS password, TPM Pin, Bitlocker and login credentials - have been outlined by researchers at F-Secure. If the system's manufacturer has followed Intel's recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated.

Intel AMT is commonly found on computers using Intel vPro-enabled processors as well as platforms based on some Intel Xeon processors. If the password is already set to an unknown value, consider the device suspect.

Install firmware updates correcting the issue on all affected devices as soon as they become available.

Although solid operations security is the first step (don't ever leave your laptop unwatched in an insecure location!), there are some basic safeguards all IT departments should implement.

Other reports by

Discuss This Article