Security flaws in Intel AMT enable attackers to take control of laptops in 30 seconds
Pwned in 30 seconds: Warning over new security flaws in Intel Active Management Technology
Organisations have been warned about new security flaws in Intel's Active Management Technology (AMT) that can be used by attackers with physical access to get round authentication processes in just 30 seconds.
F-Secure, the security software and services company that claims to have uncovered the flaws, attribute it to a string of insecure default settings found in Intel AMT. These enable attackers to bypass both user and BIOS passwords.
It is also possible to get round the Trusted Platform Module (TPM) and Bitlocker PINs to get backdoor access to corporate laptops in under a minute.
According to F-Secure, this issue affects most corporate laptops and PCs running Intel AMT.
Attackers only need to reboot or power-up the target machine and press CTRL-P during boot-up
Attackers don't need access to credentials to do this and, because the flaw is in AMT, millions of laptop users could be at risk around the world.
Harry Sintonen, a senior security consultant at F-Secure, led the research. He described the flaw as "almost deceptively simple to exploit, but it has incredible destructive potential".
He continued: "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
Intel AMT is software designed to provide maintenance and remote access monitoring services for corporate laptop users.
It's aimed, especially, at IT departments and managed service providers to offer full control of their device fleets. However, security experts have slammed the software in the past, pointing out security weaknesses.
However, F-Secure believes that the "pure simplicity of exploiting this particular issue sets it apart from previous instances". It warned: "The weakness can be exploited in mere seconds without a single line of code".
Normally, laptop users set-up BIOS passwords to prevent unauthorised users from booting up devices or making changes to the boot-up process.
To exploit the flaws highlighted by F-Secure, attackers only need to reboot or power-up the target machine and press CTRL-P during boot-up, claimed F-Secure. After that, they can log-in to Intel Management Engine BIOS Extension (MEBx) with a default password.
From there, the attacker can edit the default password and enable remote access for themselves.
"The attacker can now gain remote access to the system from both wireless and wired networks, as long as they're able to insert themselves onto the same network segment with the victim," warned F-Secure.
Sintonen added that this can be done relatively quickly - hence, exposing corporate laptops, for example, to a so-called 'evil maid' in hotels, coffee shops and other public and semi-public places.
"The attacker can break into your room and configure your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN.
"And since the computer connects to your company VPN, the attacker can access company resources."
F-Secure made a number of recommendations.
To end users:
- Never leave your laptop unwatched in an insecure location such as a public place;
- Contact your IT service desk to handle the device;
- If you're an individual running your own device, change the AMT password to a strong one, even if you don't plan on using AMT. If there's an option to disable AMT, use it. If the password is already set to an unknown value, consider the device suspect.
To organisations:
- Adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available;
- Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure.