Researcher Exploits Intel Remote Management Security In 30 Seconds But It’s Not What You Think
The big news in security (or lack thereof) recently has been the Meltdown and Spectre issues that have plagued Intel, AMD, and Apple. Those aren’t the only security issues that computer users are facing. Security research firm F-Secure has found a new security flaw that it says affects Intel Active Management Technology or AMT. AMT is an Intel proprietary solution that allows remote access or monitoring and management of personal computers in a corporate setting.
The tech was meant to allow IT departments in these large organizations or managed service providers to control fleets of computers. F-Secure Senior Security Consultant Harry Sintonen found a flaw in AMT in July of 2017 (it has only now been disclosed) that surprised him. He said, "The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures."
F-Secure wrote that the security issue "seems like something lifted straight from IT security officers’ worst nightmares." The issue would allow a local intruder to gain access to almost any corporate laptop in seconds, even if the laptop that was being attacked had a BIOS password, TPM Pin, Bitlocker, and login credentials in place.
F-Secure wrote, "The setup is simple: an attacker starts by rebooting the target’s machine, after which they enter the boot menu. In a normal situation, an intruder would be stopped here; as they won’t know the BIOS password, they can’t really do anything harmful to the computer."
In the case of this issue, AMT itself is the workaround to get the hacker into the machine. "By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password "admin," as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to "None", a quick-fingered cyber criminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they’re able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."
The attack would require physical proximity to the laptop to execute. Sintonen outlines a feasible way the attack could take place. "Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete," Sintonen says.
To mitigate the chances of this exploit being used, F-Secure says that a strong password for AMT needs to be used or AMT should be disabled completely if possible.
Intel's response to the issue was to remind users to follow its guidelines for changing MEBx passwords and points fingers at system manufacturers for being lax, and not mitigating the potential attack. An Intel spokesperson responded to Ars Technica, writing:
We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx). We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data.