• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel AMT Security Issue Lets Attackers Bypass Login Credentials

Raevenlord

News Editor
Staff member
Joined
Aug 12, 2016
Messages
1,416 (2.71/day)
Likes
1,298
Location
Portugal
System Name The Ryzening
Processor Ryzen 7 1700 @ 3.7 GHz
Motherboard MSI X370 Gaming Pro Carbon
Cooling Arctic Cooling Liquid Freezer 120
Memory 16 GB G.Skill Trident Z F4-3200 (2x 8 GB)
Video Card(s) TPU's Awesome MSI GTX 1070 Gaming X
Storage Boot: Crucial MX100 128GB; Gaming: Crucial MX 300 525GB; Storage: Samsung 1TB HDD, Toshiba 2TB HDD
Display(s) LG 29UM68P (21:9 2560x1080 FreeSync Ultrawide)
Case NOX Hummer MC Black
Audio Device(s) ASUS Xonar DX
Power Supply Seasonic M12II Evo 620W 80+
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
#1
F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."





Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, "admin," as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT's user opt-in to "None." The attacker can now gain remote access to the system from both wireless and wired networks, as long as they're able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called "evil maid" scenario. "You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources." Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk. For this reason, it's especially important that organizations know about the unsafe default so they can fix it before it begins to be exploited. A similar vulnerability has also been previously pointed out by CERT-Bund but with regards to USB provisioning, Sintonen said.

The issue affects most, if not all laptops that support Intel Management Engine / Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.
 
Joined
Oct 19, 2007
Messages
6,340 (1.69/day)
Likes
1,104
System Name The Green Knight
Processor Intel i5 8600k @4.9GHz w/ Corsair H100i CPU AiO w/Corsair HD120 RBG fan
Motherboard Asus Z370-E Gaming
Cooling 6x120mm Corsair HD120 RBG fans
Memory Corsair Vengeance RBG 2x8GB 3600MHz
Video Card(s) Asus DirectCUII GTX 980 STRIX
Storage Samsung 960 EVO m.2, Samsung 850 EVO 1TB SSD, 2TB backup, 16TB Synology DS1515+ RAID-5
Display(s) Acer Predator 34" 3440x1440 OC'd to 100MHz
Case Corsair 570x RBG Tempered Glass
Audio Device(s) Onboard / Corsair Void Wireless RGB
Power Supply Corsair HX750w Professional Series
Mouse Logitech G602s
Keyboard Corsair K70 Rapidfire
Software Windows 10 x64 Professional
Benchmark Scores Firestrike - 11471 @4.9GHz 980 stock @1178 core 1753 memory 1279 boost Unigine Heaven - 1824
#3
Can I just get full refunds on my Q6600, 2500k, 6600k and 8600k for the inconvenience of this news? (and btw, why didnt intel just keep the x500k name for i5 CPU's? whyd they have to confuse it and go x600k?)
 
Joined
Jan 29, 2012
Messages
4,568 (2.10/day)
Likes
3,783
Location
Florida
System Name natr0n-PC
Processor Phenom II X6 1100T @ 3.7 GHz - NB 3.0 GHz | Xeon E3-1290
Motherboard MSI 970 Gaming | Asus Sabertooth Z77
Cooling TRUE 120 |Deep Cool Assassin
Memory Gskill Ripjaws X - 16GB DDR3 (4x4GB)
Video Card(s) MSI 7970 Twin Frozr III BE OC - 1100/1500
Storage Crucial MX300 525GB + Multiple Mechs
Display(s) SyncMaster 2343BWX 23" 2048x1152 / Dell 1909W 19" 1440x900
Case Sunbeam Transformer Silver - frame is built like a tank
Audio Device(s) X-Fi Extreme Music | X-Fi Titanium - Bookshelf system
Power Supply Corsair TX650 v1
Software Windows XP/7/8.1/10
Benchmark Scores Xeon E3-1290 cpuz world record
#4
I was enjoying driving down Intel lane. It was great green trees,sunny blue sky, and straight fast roads. I thought to myself could this get better.Suddenly a storm approached the ground opened up and hell broke loose.

It was only then I realized the party was over. I procedded to U-turn and drove back to AMD Ville where the grass is still green.
 
Joined
May 12, 2017
Messages
6 (0.02/day)
Likes
2
#5
I was enjoying driving down Intel lane. It was great green trees,sunny blue sky, and straight fast roads. I thought to myself could this get better.Suddenly a storm approached the ground opened up and hell broke loose.

It was only then I realized the party was over. I procedded to U-turn and drove back to AMD Ville where the grass is still green.
It's red.

Stained with Intel blood.
 
Joined
Mar 14, 2014
Messages
165 (0.12/day)
Likes
49
Processor i7-4790K
Motherboard ASUS Maximus Hero VII
Cooling Noctua NH-U14S
Memory G. Skill Trident X 2x8GB 2133MHz
Video Card(s) EVGA GTX 970 SC
Storage OS is on 120GB Kingston, Samsung 850 Pro 512GB , 3TB Hitachi HDD.
Case Fractal Design Define R4
Power Supply EVGA Supernova G2 850w
Software Win 8.1
Benchmark Scores 3DMark FireStrike Score : 10299
#6
This keeps better and better, so many security holes in products from just one manufacturer waiting to see if this pit has a bottom.
It doesn't. Nothing is ever made perfect. Its just the trend right now. Just like the sexual predators in Hollywood being accused.
AMD has plenty of issues just no one has tried for them yet. As well as Qualcomm and many others. Intel is just the ez focus right now.
 
Joined
Aug 18, 2017
Messages
77 (0.51/day)
Likes
37
#8
Yay, more stupid comments by people who didn't even read the article.

The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, "admin," as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password (...)
It's the idiots who don't even configure the hardware properly, not a hardware/software problem itself.
 
Joined
Sep 15, 2015
Messages
234 (0.27/day)
Likes
22
Location
Latvija
System Name Fujitsu Siemens
Processor Athlon x2
Motherboard Asus
Memory 4GB
Video Card(s) rx 460 4gb
Storage 750 Evo 250 +2tb
Power Supply 430W
#9
i don't care, i not going to use antivirus on slow processor and update pc on the limited internet.
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
18,569 (4.56/day)
Likes
3,190
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i5 2400 :: Athlon II x4 630
Motherboard MSI H67-G43-B3 :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 4x2GB DDR3 1333 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: GT720
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) X-Fi Titanium Fatal1ty Pro - iLive IT153B Soundbar (optical) :: None
Power Supply Corsair CX600w :: Unknown
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
#10
Next up: security vulnerability found in every router ever with default login credentials...
 
Joined
Apr 10, 2013
Messages
159 (0.09/day)
Likes
70
Location
Michigan, USA
#11
Yay, more stupid comments by people who didn't even read the article.



It's the idiots who don't even configure the hardware properly, not a hardware/software problem itself.
This. Again, it is like everything is being dumbed down. We have had security flaws for over 30 years. In that 30 years nothing has been a substitute for common sense.
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
24,413 (5.50/day)
Likes
10,546
Location
Indiana, USA
Processor Intel Core i7 8700K@4.8GHz(Quick and dirty)
Motherboard AsRock Z370 Taichi
Cooling Corsair H110i GTX
Memory 32GB Corsair DDR4-3000
Video Card(s) PNY XLR8 GTX1060 6GB
Storage 480GB Crucial MX200 + 2TB Seagate Solid State Hybrid Drive with 128GB OCZ Synapse SSD Cache
Display(s) QNIX QX2710 1440p@120Hz
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply Corsair HX850
Software Windows 10 Pro x64
#12
Sooo...not really a security flaw, but instead how it is designed to work, but people deploying these system aren't reading the f'n manual on how to set them up properly or can't be bothered to change the default password...Got it!

Can I just get full refunds on my Q6600, 2500k, 6600k and 8600k for the inconvenience of this news? (and btw, why didnt intel just keep the x500k name for i5 CPU's? whyd they have to confuse it and go x600k?)
Boot any of those systems and hold Ctrl+P and I'd be willing to bet money the AMT interface doesn't come up.
 
Joined
May 11, 2016
Messages
147 (0.24/day)
Likes
50
#13
This one seems a lot less of a security issue and more of an area where maybe some extra checks can be put in. Whenever you have to assume for an exploit that someone hasn't changed the default pw, the onus is kind of on them. Especially when it comes to IME and business laptops. That should be step 1 for the laptop configurators in any responsible IT department. Otherwise if you start going down this road you could almost say this about any PC. If a person is given local unfettered access to any PC with a default pw, it's easy enough to quickly turn off security checks and enable remote access.

Seems like this is more a case of F-Secure taking advantage of the news focus on Intel and Meltdown/Spectre to claim discovery of another Intel bug for their own accolades. If I leave my car door unlocked and the keys in the ignition, it allows a person to bypass other security car alarm/key fob checks, but it would be a stretch to call that a security vulnerability. And that's what this one feels a bit like.
 
Joined
Feb 14, 2012
Messages
1,712 (0.79/day)
Likes
601
System Name msdos
Processor 8088
Motherboard mainboard
Cooling passive
Memory 640KB + 384KB extended
Video Card(s) EGA
Storage 5.25"
Display(s) 80x25
Case plastic
Audio Device(s) modchip
Power Supply 45 watts
Mouse serial
Keyboard yes
Software disk commander
Benchmark Scores still running
#14
The implications are real, corp laptops need to be kept physically secured. As they said, hotel rooms would be the ideal compromise location for a gov't actor.
 
Joined
Sep 17, 2014
Messages
3,759 (3.09/day)
Likes
2,921
Location
Duiven, Netherlands
Processor i7 8700k / OC wip
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory Corsair Vengeance LPX 3200/C16
Video Card(s) MSI GTX 1080 Gaming X @ 2100/5500
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Eizo Foris FG2421
Case Fractal Design Define C TG
Power Supply EVGA G2 750w
Mouse Logitech G502 Protheus Spectrum
Keyboard Sharkoon MK80 (Brown)
Software W10 x64
#16
This reminds me of the voicemail scandal a few years ago in Netherlands where the PM and other VIPs had his Vodafone voicemail hacked and it was first 'deemed not secure' and the next day we learned the PM forgot to change his PIN from 0000 to something else.
 
Joined
Aug 20, 2007
Messages
7,667 (2.02/day)
Likes
6,752
#17
This reminds me of the voicemail scandal a few years ago in Netherlands where the PM and other VIPs had his Vodafone voicemail hacked and it was first 'deemed not secure' and the next day we learned the PM forgot to change his PIN from 0000 to something else.
This is like bloody spaceballs at this point...
 
Joined
Feb 18, 2005
Messages
1,301 (0.28/day)
Likes
645
Location
South Africa
System Name Firelance
Processor i7-3770K @ 4.6GHz / 1.23V
Motherboard Gigabyte Z77X-UD5H @ F16h mod BIOS
Cooling Corsair H105 + 4x Gentle Typhoon 1850
Memory 2x 8GB Crucial Ballistix Sport DDR3-1600 CL9 @ CL7
Video Card(s) MSI GTX 1070 Armor OC with Gaming X BIOS @ 2000 core / 2300 mem
Storage 2x 256GB 840 Pro (RAID-0) + 3TB Deskstar 7K3000 + 512GB BX300 + 8TB WD Purple
Display(s) Dell U2713HM (25x14) + Acer P243W (19x12)
Case Thermaltake Core X31
Audio Device(s) Corsair VOID Wireless
Power Supply Seasonic SS-760XP² Platinum
Mouse Logitech G400
Keyboard Logitech G19
Software Windows 7 Professional x64 Service Pack 1
#18
*anti-Intel circlejerk intensifies*
 
Joined
Jul 5, 2013
Messages
1,086 (0.66/day)
Likes
464
#21
Intel just can't win lately. But then, that's what happens when you build something like this into your base architecture. They did this to themselves. Kinda feel bad for them, this is a hell of a mess to sort out. I'm waiting for someone to hack the crap out of AMD's similar piece of "secret" hardware. Both instances are bad idea's done poorly.
 
Last edited:
Joined
Sep 15, 2011
Messages
4,401 (1.90/day)
Likes
1,096
Processor Intel Core i7 3770k @ 4.3GHz
Motherboard Asus P8Z77-V LK
Memory 16GB(2x8) DDR3@2133MHz 1.5v Patriot
Video Card(s) MSI GeForce GTX 1080 GAMING X 8G
Storage 59.63GB Samsung SSD 830 + 465.76 GB Samsung SSD 840 EVO + 2TB Hitachi + 300GB Velociraptor HDD
Display(s) Acer Predator X34 3440x1440@100Hz G-Sync
Case NZXT PHANTOM410-BK
Audio Device(s) Creative X-Fi Titanium PCIe
Power Supply Corsair 850W
Mouse Anker
Software Win 10 Pro - 64bit
Benchmark Scores 30FPS in NFS:Rivals
#22
Noup, it definitely doesn't work on my HP EliteBook crappy laptop from work...
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
24,413 (5.50/day)
Likes
10,546
Location
Indiana, USA
Processor Intel Core i7 8700K@4.8GHz(Quick and dirty)
Motherboard AsRock Z370 Taichi
Cooling Corsair H110i GTX
Memory 32GB Corsair DDR4-3000
Video Card(s) PNY XLR8 GTX1060 6GB
Storage 480GB Crucial MX200 + 2TB Seagate Solid State Hybrid Drive with 128GB OCZ Synapse SSD Cache
Display(s) QNIX QX2710 1440p@120Hz
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply Corsair HX850
Software Windows 10 Pro x64
#24
How did you determine this?
To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup.
If you boot the machine and press CTRL-P and the AMT interface doesn't come up, the computer isn't affected.