Security issue in Intel’s Active Management Technology (AMT) allows to gain full remote access to corporate devices

Security researchers from F-Secure have discovered a new issue in Intel’s Advanced Management Technology (AMT) implementation that can be exploited by remote attackers to access most of the corporate laptops.

Intel is the middle of a tempest, after the discovery of the Meltdown and Spectre attacks, security researchers have discovered a new vulnerability in Intel’s Advanced Management Technology (AMT) implementation that can be exploited by remote attackers to access most of the corporate laptops in a few seconds, millions of devices are potentially exposed to attacks.

The vulnerability in the Intel hardware was discovered by the experts at the security firm F-Secure, the issue affects the Intel Active Management Technology (AMT) that is a hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them.

It is implemented at chip-level and doesn’t depend on software or an operating system.

“In July 2017 Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered unsafe and misleading default behaviour within Intel’s Active Management Technology (AMT).” reads the analysis published by F-Secure.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen says.

The attack could be exploited to gain full remote access to a corporate network without specific skills.

The vulnerability could be exploited by attackers with physical access to the affected machine to bypass the authentication (i.e. login credentials, BIOS and BitLocker passwords, and TPM pin codes) and enable remote administration for post-exploitation.

This means that even protecting the BIOS with a password it is possible to access the AMT BIOS extension, the Intel Management Engine BIOS Extension (MEBx), the default ‘admin’ password will give the attacker access to AMT.

The attack scenario sees attackers have physical access to a machine to boot up the device by pressing CTRL-P during the process, and log in to MEBx with ‘admin’.

“The setup is simple: an attacker starts by rebooting the target’s machine, after which they enter the boot menu. In a normal situation, an intruder would be stopped here; as they won’t know the BIOS password, they can’t really do anything harmful to the computer.” continues the analysis published by F-Secure.

“In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password “admin,” as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine.”

Once enabled the remote access the attacker can gain access to the system remotely it is able to share the same network segment with the victim.

Yes, I imagine you telling me that the exploitation needs physical proximity, but F-Secure researchers pointed out that it is not so complicated for skilled attackers powering the Evil Maid attack.

“Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen says.

The experts also provided recommendations to mitigate the attacks.

In order to prevent Evil Maid attacks, the experts suggest enabling AMT only for those devices that require it, and anyway use string passwords for each device.

“The system provisioning process needs to be updated to include setting a strong password for AMT, or disabling it completely if possible. IT should also go through all currently deployed machines, and organize the same procedure for them. Intel’s own recommendations for using AMT in a secure manner follow similar logic.” concludes F-Secure. 

Below the video (Italian Language) I published to explain the issue

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Active Management Technology, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

MediSecure data breach impacted 12.9 million individuals

Personal and health information of 12.9 million individuals was exposed in a ransomware attack on…

2 hours ago

CrowdStrike update epic fail crashed Windows systems worldwide

Windows machines worldwide displayed BSoD screen following a faulty update pushed out by cybersecurity firm…

7 hours ago

Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users…

14 hours ago

SAPwned flaws in SAP AI core could expose customers’ data

Researchers discovered security flaws in SAP AI Core cloud-based platform that could expose customers' data. Cybersecurity researchers…

1 day ago

Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity…

1 day ago

How to Protect Privacy and Build Secure AI Products

AI systems are transforming technology and driving innovation across industries. How to protect privacy and…

2 days ago

This website uses cookies.