On the heels of recent Spectre and Meltdown vulnerabilities, the F-Secure security team has discovered a security issue in Intel’s Active Management Technology (AMT).
AMT is used by IT departments and managed service providers for remote access monitoring and maintenance of enterprise computers.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, one of F-Secure’s Senior Security Consultants who discovered the flaw back in July 2017.
How does it work?
According to F-Secure, the issue allows a local attacker (who has physical access) backdoor access to any corporate laptop in seconds, even if the BIOS password, TPM Pin, Bitlocker and OS login credentials are enabled.
The attacker would first start by rebooting the victim’s machine, then enter the boot menu and choose the menu option for Intel’s Management Engine BIOS Extension (MEBx).
The attacker can login using the default password “admin” (assuming the default password hasn’t been set) and quickly change the default password, then enable remote access. That way, the cyber criminal can access the system remotely if they can insert themselves on the same network segment as the victim.
The attack demonstrates a potential “evil maid” scenario where multiple attackers could target a victim in a public place (e.g., hotel lobby, airport, etc.).
One attacker could distract the victim while the other quickly gains access to the laptop to make the change to compromise the system and enable remote access within a minute.
Enterprise admins who support their company’s laptop fleet should ensure AMT login is changed to a strong password, or disable completely if possible.
Intel has provided security guidance on how to setup AMT securely.