January 12, 2018 |

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds. Buckinghamshire, UK – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor […]

Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

Buckinghamshire, UK – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

 

The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

 

Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.

 

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.

 

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

 

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

 

Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk. For this reason, it’s especially important that organizations know about the unsafe default so they can fix it before it begins to be exploited. A similar vulnerability has also been previously pointed out by CERT-Bund but with regards to USB provisioning, Sintonen said.

 

The issue affects most, if not all laptops that support Intel Management Engine / Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.

 

Intel recommends vendors to require the BIOS password to provision Intel AMT. However, many device manufacturers do not follow this advice. For Intel’s December 2017 advisory regarding this topic, see “Security Best Practices of Intel Active Management Technology Q&A.”

 

 

Recommendations

To end users

  • Never leave your laptop unwatched in an insecure location such as a public place.
  • Contact your IT service desk to handle the device.
  • If you’re an individual running your own device, change the AMT password to a strong one, even if you don’t plan on using AMT. If there’s an option to disable AMT, use it. If the password is already set to an unknown value, consider the device suspect.

To organizations

  • Adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available.
  • Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure.

 

*Parth Shukla, Google, October 2017 “Intel AMT: Using & Abusing the Ghost in the Machine

 

 

More Information

https://business.f-secure.com/intel-amt-security-issue

 

 

 

About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.

 

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

 

f-secure.com twitter.com/fsecureukteam | facebook.com/f-secure

 

 

 

F-Secure media relations
Geoff Dorrington

PR manager, F-Secure UK & Ireland

E: geoff.dorrington@f-secure.com

T: 01753 376592

 

Latest Events
Press Archives
Select Year

Latest Press Releases

January 12, 2018

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds. Buckinghamshire, UK – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor […]

November 16, 2017

DNS now your First Line of Defense against Cyber Attacks

F-Secure is partnering with the Global Cyber Alliance to step up the fight against malicious URLs with a secure DNS service that companies and individuals can use for free. Buckinghamshire, UK  – November 16, 2017: Every single day, F-Secure Labs discovers nearly 30,000 malicious URLs used in phishing attacks, ransomware campaigns, and other cyber attacks. […]

October 25, 2017

Study Shows 30% of CEOs Have Been “Pwned,” Passwords Exposed

Email exposure study also shows 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. Buckinghamshire, UK – October 25, 2017: Nearly one in three major CEOs has been “pwned” using their company email address, according to a new F-Secure study of CEO email exposure. In […]

October 10, 2017

F-Secure, University of Helsinki bring back Cyber Security Base

F-Secure and the University of Helsinki re-launch their cyber security MOOC following the success of last year’s offering. Buckinghamshire, UK – October 3, 2017: Cyber Security Base with F-Secure, an online course series developed by the University of Helsinki and F-Secure, is back for another year. Over 50,000 people from the United States, Finland, the […]

%d bloggers like this: