CybersecurityIntel AMT security issue: Attackers may bypass login credentials in corporate laptops
Helsinki, Finland-based F-Secure reported a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than thirty seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.
Intel's processors build in a easily exploited vulnerability // Source: yahoo.com
Helsinki, Finland-based F-Secure reported a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than thirty seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.
The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”
Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.
F-Secure says that the essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.
To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.
