Vladislav Kochelaevs - Fotolia
Insecure defaults in Intel’s Active Management Technology (AMT) allow an intruder to completely bypass login credentials in most corporate laptops in 30 seconds, researchers at security firm F-Secure have warned.
Although AMT vulnerabilities are not new, the researchers say this issue is particularly severe because it affects most Intel laptops, could enable an attacker to gain remote access for later exploitation, and is particularly easy to exploit.
Technically, this is not a vulnerability, the researchers said, but a combination of a default password, insecure default configuration and unexpected behaviour that affects most, if not all, laptops that support Intel Management Engine or Intel AMT.
“The security issue is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, senior security consultant at F-Secure, who investigated the issue after discovering it in mid-2017.
“In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” he added.
Intel AMT is designed to enable remote access monitoring and maintenance of corporate-grade personal computers, and is typically used by IT departments or managed service providers to manage devices.
Heart of the issue
At the heart of the security issue is the fact that setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent unauthorised access to the AMT BIOS extension.
“This allows an attacker access to configure AMT and makes remote exploitation possible,” said Sintonen. “To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup.”
This would allow any attacker to log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”, as this default is probably unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “none”.
The attacker could now gain remote access to the system from both wireless and wired networks, as long as they are able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA (client-initiated remote access) server.
Although the initial attack requires physical access, the speed at which it can be carried out makes it easily exploitable, said Sintonen.
“If you leave your laptop in your hotel room while you go out for a drink, an attacker can break into your room and configure your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel,” he said.
“And since the computer connects to your company VPN [virtual private network], the attacker can access company resources.”
A minute’s distraction
Sintonen said even a minute of distracting a target from their laptop at an airport or coffee shop is enough to enable an attacker to gain access to the target machine.
F-Secure has notified Intel, all relevant device manufacturers and the CERT-Coordination Center in the US about the security issue.
Although Intel recommends that suppliers require the BIOS password to provision Intel AMT and has produced a Q&A about security best practices for AMT, F-Secure said this and other Intel guides on AMT security have not had the desired effect on the real-world security of corporate laptops.
F-Secure said it has encountered this issue time and time again, and it needs to be addressed urgently because it is locally exploitable in practical situations, even when laptops have otherwise been completely hardened.
This issue has largely been under the radar of most enterprises because it has no CVE number, security update or new version available, but it affects major suppliers and a large number of laptops.
F-Secure said it is highlighting the issue to raise awareness so that organisations can mitigate the problem and improve security in the real world. It recommends that enterprises:
- Adjust the system provisioning process to include setting a strong AMT password, or disabling AMT completely, where possible.
- When ordering new devices, consider whether to order them without AMT, AMT disabled by default, or to provision AMT before enrolment.
- Go through all currently deployed devices and configure the AMT password or disable the functionality altogether.
- Consider as suspect any computer that has an AMT password already set to an unknown value and initiate appropriate incident response procedures.
- Install firmware updates correcting the issue on all affected devices as soon as they become available.
- Advise all end-users never to leave devices unmonitored in insecure locations.
Intel has responded by saying its “appreciates” the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel MEBx.
“We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximise security,” the company said in a statement.
“Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data,” it added.
Read more about Intel AMT security
- Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall.
- An Intel AMT exploit needs attention in businesses of all sizes that run Intel-based PCs of “a certain age”.
- Servers may have been at risk of attack for years because of an Intel AMT security risk that was recently disclosed before manufacturers could patch.
- A vulnerability in Intel AMT enables attackers to gain remote access to PCs and devices.