Friday, January 12th 2018

Intel AMT Security Issue Lets Attackers Bypass Login Credentials

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, "admin," as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT's user opt-in to "None." The attacker can now gain remote access to the system from both wireless and wired networks, as long as they're able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called "evil maid" scenario. "You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources." Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk. For this reason, it's especially important that organizations know about the unsafe default so they can fix it before it begins to be exploited. A similar vulnerability has also been previously pointed out by CERT-Bund but with regards to USB provisioning, Sintonen said.

The issue affects most, if not all laptops that support Intel Management Engine / Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.
Add your own comment

37 Comments on Intel AMT Security Issue Lets Attackers Bypass Login Credentials

#1
Chaitanya
This keeps better and better, so many security holes in products from just one manufacturer waiting to see if this pit has a bottom.
Posted on Reply
#2
CrAsHnBuRnXp
Can I just get full refunds on my Q6600, 2500k, 6600k and 8600k for the inconvenience of this news? (and btw, why didnt intel just keep the x500k name for i5 CPU's? whyd they have to confuse it and go x600k?)
Posted on Reply
#3
natr0n
I was enjoying driving down Intel lane. It was great green trees,sunny blue sky, and straight fast roads. I thought to myself could this get better.Suddenly a storm approached the ground opened up and hell broke loose.

It was only then I realized the party was over. I procedded to U-turn and drove back to AMD Ville where the grass is still green.
Posted on Reply
#4
RobJoy
natr0n said:
I was enjoying driving down Intel lane. It was great green trees,sunny blue sky, and straight fast roads. I thought to myself could this get better.Suddenly a storm approached the ground opened up and hell broke loose.

It was only then I realized the party was over. I procedded to U-turn and drove back to AMD Ville where the grass is still green.
It's red.

Stained with Intel blood.
Posted on Reply
#5
Upgrayedd
Chaitanya said:
This keeps better and better, so many security holes in products from just one manufacturer waiting to see if this pit has a bottom.
It doesn't. Nothing is ever made perfect. Its just the trend right now. Just like the sexual predators in Hollywood being accused.
AMD has plenty of issues just no one has tried for them yet. As well as Qualcomm and many others. Intel is just the ez focus right now.
Posted on Reply
#6
R-T-B
You need local machine access to do/start this exploit. Not really THAT concerning.
Posted on Reply
#7
Flaky
Yay, more stupid comments by people who didn't even read the article.
The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, "admin," as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password (...)
It's the idiots who don't even configure the hardware properly, not a hardware/software problem itself.
Posted on Reply
#8
Readlight
i don't care, i not going to use antivirus on slow processor and update pc on the limited internet.
Posted on Reply
#9
hat
Enthusiast
Next up: security vulnerability found in every router ever with default login credentials...
Posted on Reply
#10
ssdpro
Flaky said:
Yay, more stupid comments by people who didn't even read the article.



It's the idiots who don't even configure the hardware properly, not a hardware/software problem itself.
This. Again, it is like everything is being dumbed down. We have had security flaws for over 30 years. In that 30 years nothing has been a substitute for common sense.
Posted on Reply
#11
newtekie1
Semi-Retired Folder
Sooo...not really a security flaw, but instead how it is designed to work, but people deploying these system aren't reading the f'n manual on how to set them up properly or can't be bothered to change the default password...Got it!

CrAsHnBuRnXp said:
Can I just get full refunds on my Q6600, 2500k, 6600k and 8600k for the inconvenience of this news? (and btw, why didnt intel just keep the x500k name for i5 CPU's? whyd they have to confuse it and go x600k?)
Boot any of those systems and hold Ctrl+P and I'd be willing to bet money the AMT interface doesn't come up.
Posted on Reply
#12
dozenfury
This one seems a lot less of a security issue and more of an area where maybe some extra checks can be put in. Whenever you have to assume for an exploit that someone hasn't changed the default pw, the onus is kind of on them. Especially when it comes to IME and business laptops. That should be step 1 for the laptop configurators in any responsible IT department. Otherwise if you start going down this road you could almost say this about any PC. If a person is given local unfettered access to any PC with a default pw, it's easy enough to quickly turn off security checks and enable remote access.

Seems like this is more a case of F-Secure taking advantage of the news focus on Intel and Meltdown/Spectre to claim discovery of another Intel bug for their own accolades. If I leave my car door unlocked and the keys in the ignition, it allows a person to bypass other security car alarm/key fob checks, but it would be a stretch to call that a security vulnerability. And that's what this one feels a bit like.
Posted on Reply
#13
xorbe
The implications are real, corp laptops need to be kept physically secured. As they said, hotel rooms would be the ideal compromise location for a gov't actor.
Posted on Reply
#14
R-T-B
xorbe said:
The implications are real, corp laptops need to be kept physically secured. As they said, hotel rooms would be the ideal compromise location for a gov't actor.
So set a password.
Posted on Reply
#15
Vayra86
This reminds me of the voicemail scandal a few years ago in Netherlands where the PM and other VIPs had his Vodafone voicemail hacked and it was first 'deemed not secure' and the next day we learned the PM forgot to change his PIN from 0000 to something else.
Posted on Reply
#16
R-T-B
Vayra86 said:
This reminds me of the voicemail scandal a few years ago in Netherlands where the PM and other VIPs had his Vodafone voicemail hacked and it was first 'deemed not secure' and the next day we learned the PM forgot to change his PIN from 0000 to something else.
This is like bloody spaceballs at this point...
Posted on Reply
#18
evernessince
Assimilator said:
*anti-Intel circlejerk intensifies*
Anti-anti-Intel circlejerk intensifies would have been more apt. There's always gotta be those people pissing on those with legitimate concerns.
Posted on Reply
#19
R-T-B
evernessince said:
Anti-anti-Intel circlejerk intensifies would have been more apt. There's always gotta be those people pissing on those with legitimate concerns.
This one really isn't much of a concern, IMO. More like common sense.
Posted on Reply
#20
lexluthermiester
Intel just can't win lately. But then, that's what happens when you build something like this into your base architecture. They did this to themselves. Kinda feel bad for them, this is a hell of a mess to sort out. I'm waiting for someone to hack the crap out of AMD's similar piece of "secret" hardware. Both instances are bad idea's done poorly.
Posted on Reply
#21
Prima.Vera
Noup, it definitely doesn't work on my HP EliteBook crappy laptop from work...
Posted on Reply
#22
lexluthermiester
Prima.Vera said:
Nope, it definitely doesn't work on my HP EliteBook crappy laptop from work...
How did you determine this?
Posted on Reply
#23
newtekie1
Semi-Retired Folder
lexluthermiester said:
How did you determine this?
To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup.
If you boot the machine and press CTRL-P and the AMT interface doesn't come up, the computer isn't affected.
Posted on Reply
#24
lexluthermiester
newtekie1 said:
If you boot the machine and press CTRL-P and the AMT interface doesn't come up, the computer isn't affected.
That would suggest AMT is not installed/provisioned on that particular system.
Posted on Reply
#25
R-T-B
lexluthermiester said:
That would suggest AMT is not installed/provisioned on that particular system.
and thus the computer isn't affected.
Posted on Reply
Add your own comment