Security issue in Intel’s Active Management Technology (AMT) allows to gain full remote access to corporate devices

Pierluigi Paganini January 12, 2018

Security researchers from F-Secure have discovered a new issue in Intel’s Advanced Management Technology (AMT) implementation that can be exploited by remote attackers to access most of the corporate laptops.

Intel is the middle of a tempest, after the discovery of the Meltdown and Spectre attacks, security researchers have discovered a new vulnerability in Intel’s Advanced Management Technology (AMT) implementation that can be exploited by remote attackers to access most of the corporate laptops in a few seconds, millions of devices are potentially exposed to attacks.

The vulnerability in the Intel hardware was discovered by the experts at the security firm F-Secure, the issue affects the Intel Active Management Technology (AMT) that is a hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them.

It is implemented at chip-level and doesn’t depend on software or an operating system.

“In July 2017 Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered unsafe and misleading default behaviour within Intel’s Active Management Technology (AMT).” reads the analysis published by F-Secure.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen says.

The attack could be exploited to gain full remote access to a corporate network without specific skills.

The vulnerability could be exploited by attackers with physical access to the affected machine to bypass the authentication (i.e. login credentials, BIOS and BitLocker passwords, and TPM pin codes) and enable remote administration for post-exploitation.

This means that even protecting the BIOS with a password it is possible to access the AMT BIOS extension, the Intel Management Engine BIOS Extension (MEBx), the default ‘admin’ password will give the attacker access to AMT.

Active Management Technology

The attack scenario sees attackers have physical access to a machine to boot up the device by pressing CTRL-P during the process, and log in to MEBx with ‘admin’.

“The setup is simple: an attacker starts by rebooting the target’s machine, after which they enter the boot menu. In a normal situation, an intruder would be stopped here; as they won’t know the BIOS password, they can’t really do anything harmful to the computer.” continues the analysis published by F-Secure.

“In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password “admin,” as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine.”

Once enabled the remote access the attacker can gain access to the system remotely it is able to share the same network segment with the victim.

Yes, I imagine you telling me that the exploitation needs physical proximity, but F-Secure researchers pointed out that it is not so complicated for skilled attackers powering the Evil Maid attack.

“Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen says.

The experts also provided recommendations to mitigate the attacks.

In order to prevent Evil Maid attacks, the experts suggest enabling AMT only for those devices that require it, and anyway use string passwords for each device.

“The system provisioning process needs to be updated to include setting a strong password for AMT, or disabling it completely if possible. IT should also go through all currently deployed machines, and organize the same procedure for them. Intel’s own recommendations for using AMT in a secure manner follow similar logic.” concludes F-Secure. 

Below the video (Italian Language) I published to explain the issue

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Active Management Technology, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment