Intel AMT security issue: Attackers may bypass login credentials in corporate laptops
class=”MsoNormal”>Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.
F-Secure says that Sintonen stumbled upon the issue in July 2017, and notes that another researcher, Parth Shukla, also mentioned it in a more recent talk (see Parth Shukla, Google, “Intel AMT: Using & Abusing the Ghost in the Machine,” October 2017). For this reason, it is especially important that organizations know about the unsafe default so they can fix it before it begins to be exploited. A similar vulnerability has also been previously pointed out by CERT-Bund but with regards to USB provisioning, Sintonen said.
The issue affects most, if not all laptops that support Intel Management Engine / Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.
Intel recommends that vendors require the BIOS password to provision Intel AMT. However, many device manufacturers do not follow this advice. For Intel’s December 2017 advisory regarding this topic, see “Security Best Practices of Intel Active Management Technology Q&A.”
Recommendations
To end users
· Never leave your laptop unwatched in an insecure location such as a public place.
· Contact your IT service desk to handle the device.
· If you’re an individual running your own device, change the AMT password to a strong one, even if you don’t plan on using AMT. If there’s an option to disable AMT, use it. If the password is already set to an unknown value, consider the device suspect.
To organizations
· Adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available.
· Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure.
