Intel AMT security hole lets hackers take control of corporate laptops

Intel is off to a rough start in 2018 with yet another security issue found impacting their products. Coming fast on the heels of Spectre and Meltdown is a security vulnerability in Intel's Active Management Technology (AMT). The Intel Core processor with vPro feature is intended to help IT staff manage networked assets. Ironically, it is supposed to help administrators protect devices. This security risk flushes all that down the toilet.

According to researchers at F-Secure, "The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place. No, we're not making this stuff up."

This flaw has a high destructive potential and can be executed very quickly. The attacker does need to have physical access to the laptop but there are several scenarios where this could prove to be a trivial issue.

Harry Sintonen, one of F-Secure's senior security consultants, describes using the "evil maid" scenario. This is where a pair of attackers identify a target and while one distracts the mark, the other accesses the computer. Since the exploit can be completed in seconds, this tactic is quite viable.

"AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen's discovery surprised even him."

The way the attack is accomplished is by rebooting the computer and then entering the boot menu. In most circumstances, this is the end of the line for an attacker because any competent IT pro would have enabled the BIOS password and the exploit could go no further.

However, on AMT machines, the attacker can select Intel's Management Engine BIOS Extension (MEBx) and log in using the default password "admin." They can then change the password, enable remote access and set the user's opt-in to "None." What he has essentially done here is set up the machine to allow remote access without the user's knowledge that the computer is being exploited.

To remote in, the attacker does have to be on the same network segment. However, Sintonen says that wireless access can be achieved with only a few extra steps.

Dealing with the problem can be a pain, especially for large companies with vast numbers of mobile assets. In most cases, the individual machines must be physically accessed and have the AMT default password changed or have the suite disabled altogether.

"The security issue seems like something lifted straight from IT security officers' worst nightmares."

F-Secure advises that large companies first try to determine the number of affected devices remotely to find a more manageable number. There is no sense wasting time on laptops that do not have AMT.

"Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT," said F-Secure. If in the process of reconfiguration, a device is found with the AMT password set to an unknown value, assume the worst and initiate an incident response. "First rule of cybersecurity? Never take unnecessary risks." For more details, see F-Secure's FAQ on the flaw.