Security shortcomings in Intel’s Active Management Technology (AMT) create a means for miscreants to bypass login credentials on corporate laptops.
Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 seconds or so, according to security firm F-Secure. The issue, which can only be exploited given physical access to targeted laptop, is unrelated to the recent Spectre and Meltdown vulnerabilities.
The problem potentially affects millions of laptops globally.
AMT offers remote-access monitoring and maintenance of corporate-grade personal computers, allowing remote management of assets. Weaknesses in the tech have been discovered before (exampleshere andhere) but the latest flaw is nonetheless noteworthy because of the ease of exploitation. “The weakness can be exploited in mere seconds without a single line of code,” F-Secure reports.
Setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.
To run an exploit, all an attacker needs to do is power up the target machine and press CTRL+P during boot. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”, as thi is most likely unchanged on most corporate laptops. The attacker would then be free to change the default password, enable remote access and set AMT’s user opt-in to “None”.
At this point a hacker would be able to gain remote access to the system as long as they’re able to insert themselves onto the same network segment as the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.
How to remote hijack computers using Intel’s insecure chips: Just use an empty login string
The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, the senior security consultant at F-Secure who came across the flaw. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”
Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”
Hacks in an airport or coffee shop might also be possible in cases where a prospective mark either leaves their system unattended or is distracted for a minute or two, perhaps by the accomplice of a hacker.
Sintonen and his colleagues at F-Secure have come across the issue repeatedly since early summer last year. A similar vulnerability, related to USB provisioning, was previously uncovered by CERT-Bund. The issue highlighted by F-Secure is distinct from that and otherrecent problems, the company confirmed, and relates to the insecure configuration and deployment of Intel AMT.
A large part of the problem is that enterprises are not following Intel’s guidance in practice, said F-Secure, adding that it was going public in order to draw attention to the issue.
“We discovered the issue this summer, and since discovering it, we have found it in thousands of laptops,” F-Secure told El Reg . “Despite there being information available for manufacturers on how to prevent this, manufacturers are still not following best practices, leaving vast numbers of vulnerable laptops out there. Organisations and users are left to protect against this themselves, but most don’t realise this is a problem. That is why it’s important to raise public awareness.”
F-Secure’s research indicates that some system manufacturers were not requiring a BIOS password to access MEBx. As a result, an unauthorised person with physical access to a computer in which access to MEBx is not restricted, and in which AMT is in factory default, could potentially alter its AMT settings.
El Reg understands that Intel began telling systems manufacturers to provide a system BIOS option to disable USB provisioning and to set the value to disable by default as far back as 2015. This guidance ( PDF ) was updated and reiterated last November.
F-Secure reports that despite all this guidance, insecure Intel AMT setups remain widespread.
While Intel has written extensive guides on AMT, they have not had the desired impact on the real world security of corporate laptops.
The issue affects most, if not all, laptops that support Intel Management Engine/Intel AMT. Chipzilla advises vendors to require the BIOS password when rolling out AMT. However, many device manufacturers do not follow this advice.
F-Secure recommends enterprises adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available. ®