Backdoored in 30 Seconds: Attack Exploits Intel AMT FeaturePhysical Access Plus Default AMT Credentials Equals Takeover, F-Secure Warns
An attacker who gains physical access to a corporate PC with an Intel chip could exploit the built-in Active Management Technology to backdoor the system in about 30 seconds, unless default AMT credentials have been changed, Finnish security firm F-Secure warns.
"The attack is almost deceptively simple to enact, but it has incredible destructive potential," Harry Sintonen, a senior security consultant at F-Secure, says in a news release. "In practice, it can give a local attacker complete control over an individual's work laptop, despite even the most extensive security measures."
The attack would bypass any other security protections in place, including a BIOS password, Trusted Platform Module PIN or Bitlocker full-disk encryption, Sintonen says. The attack is unrelated to the Meltdown and Spectre vulnerabilities in Intel, AND and ARM microprocessors announced earlier this month.
AMT is maintenance software built into Intel's vPro platform that can be used to remotely manage PCs. Intel says it's been shipped on more than 100 million systems over the past decade.
Responding to F-Secure's research, Intel has confirmed the flaw and issued mitigation advice. This centers on either ensuring that AMT has a strong password or disabling AMT altogether.
But Intel says the default password problem should be addressed by the equipment manufacturers who use its chips, noting that it has long recommended that OEMs set their systems so that the BIOS password is needed before AMT can be provisioned. If OEMs do this, systems with AMT would not be at risk to this attack, it says.
"We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx)," an Intel spokeswoman tells Information Security Media Group.
"We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security," she says. "Intel has no higher priority than our customers' security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data."
Sintonen, however, says he tested the default MEBx password attack on multiple vPro systems - with AMT built in - and found that they were all vulnerable.
Attack: Select 'MEBx' After Booting
How does the attack work? Normally, on any system for which a BIOS password has been set, users cannot continue to boot the system until they have entered the BIOS password.
For systems with AMT built in, however, anyone who uses the PC can boot to MEBx, for which Intel has set a default password of "admin," F-Secure says. An attacker could then alter this password, giving them ongoing access to the system via AMT.
"By changing the default password, enabling remote access and setting AMT's user opt-in to 'none,' a quick-fingered cybercriminal has effectively compromised the machine," it says. "Now the attacker can gain access to the system remotely, as long as they're able to insert themselves onto the same network segment with the victim - enabling wireless access requires a few extra steps."
F-Secure recommends that enterprise administrators ensure all devices with AMT have it set to use a strong password. Alternately, disable AMT on the device.
"Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure," it says.
For individual users without IT support, F-Secure recommends they never leave their PCs unattended and also that they change their AMT password to a strong password or disable it, if that option is available. "If the password is already set to an unknown value, consider the device suspect," it says.
Coordinated Vulnerability Effort
Sintonen says he discovered the flaw in July 2017.
"We reached out to Intel last summer. Since then we have been coordinating with laptop vendors and with Intel," F-Secure spokeswoman Melissa Michael tells ISMG. "We wanted to give ample time for vendors and Intel to implement changes. We agreed with Intel that we would come out with the issue in January."
Intel has now made those fixes, she says. "Intel has replied that they have updated their guidance for vendors, and they now recommend vendors to require the BIOS password if set, when provisioning Intel AMT."
Last month, Intel issued a 4-page PDF, Security Best Practices of Intel Active Management Technology Q&A, that addresses the MEBx default password problem, amongst other security risks.
"The Intel AMT manual configuration methods let you provision an Intel AMT system with basic settings but it does require local access to the device to boot to the Intel Management Engine BIOS Extension (Intel MEBx) or a configured USB key. If the Intel MEBx default password was never changed, an unauthorized person with physical access to the system could manually provision Intel AMT via the Intel MEBx or with a USB key using the default password," Intel's AMT security document states. "If the system's manufacturer has followed Intel's recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated."
Intel AMT Guidance
Multiple Researchers Find Flaw
F-Secure's Sintonen, however, wasn't the only security researcher to unearth the problem. In October 2017, Parth Shukla, a security researcher at Google, also detailed the flaws in a Luxembourg conference presentation. Shukla tells ISMG he's preparing a more in-depth research report that builds on his presentation.
Germany's computer emergency response team, CERT-Bund, had also previously detailed how MEBx could be used to boot to a specially configured USB device, again bypassing the BIOS password.
"Intel has provided recommendations to system manufacturers in September 2015 to protect the Intel MEBx with the system BIOS password," it says. "Intel has also recommended that system manufacturers provide a system BIOS option to disable USB provisioning and to set the value to disable by default."
More AMT Problems
These are not the first AMT security problems to have been discovered.
For starters, AMT has been designed to require a username and password before it can be accessed. But early last year, Maksim Malyutin, a researcher at embedded security firm Embedi, reverse-engineered the AMT code and found that the authentication checks can be bypassed using simple tools and only about five or 10 lines of code (see Intel's AMT Flaw: Worse Than Feared).
On May 1, Intel issued an alert, warning that systems running AMT, Intel Standard Manageability or Small Business Tech firmware - versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5 or 11.6 - were at risk from the critical security flaw and needed a firmware update.
Last November, meanwhile, Intel issued another security alert, warning that flaws in its Management Engine - used in both consumer and business PCs - and AMT could be exploited by an attacker. It said the flaws were present in many PCs, servers and internet of things platforms with Intel CPUs, including all generations of Intel Core Processors, as well as some Xeon, Atom, Pentium and Celeron CPUs, amongst others.
Intel pushed a firmware fix to OEMs, which have been releasing updated firmware to users. Last month, Intel released a tool that can be used to test systems for the presence of the flaw.