Gone in 30 seconds: New Intel AMT exploit is scarier than you can ever fathom
Intel had a pretty rough start to 2018 with a slew of security flaws in Intel CPUs rearing their ugly heads. After the whole Meltdown and Spectre debacle, there's apparently another bitter pill to swallow. F-Secure's Senior Security Consultant, Harry Sintonen, has discovered a potential security flaw in Intel's Active Management Technology (AMT) that allows hackers in physical proximity of a laptop to take control full control of the system and gain remote access, all under a minute.
F-Secure says the issue so severe that even the best protections, including BIOS passwords, will fail if the hacker knows his stuff. It is sort of surprising, given that the system cannot be accessed if the hacker cannot get past the BIOS password screen. However, by selecting the Management Engine BIOS Extension (MEBx) at boot, the hacker just simply login using the default 'admin' password. It is common that users tend to leave the default password as is. Generally, corporate laptops are enabled with AMT and vPro to enable IT admins to remotely take control and diagnose the system. On compatible systems, MEBx can be accessed by simply pressing Ctrl+P at boot time. Having gained access to the MEBx, the hacker can change the default password, enable remote access, and set the AMT's user opt-in to 'None'. The machine is now compromised. The cyber criminal can also gain remote access to the corporate network to which the compromised laptop is connected and all hell can break loose.
Intel's AMT exploits have been a cause of concern for many in the corporate world. The Intel Management Engine (ME) is a whole OS in itself complete with a TCP/IP stack that while making the lives of admins a tad bit easier, can also be exploited for nefarious activities in the wrong hands. Disabling the ME can render the system unbootable, although, a recent discovery has shown that the ME can indeed be disabled, but that requires firmware editing.
While the probability of a cyber criminal getting physical access to a corporate laptop is somewhat far fetched, Sintonen lays out a possible scenario —
Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete."
It is not known how Intel would respond to this discovery or what sort of updates can mitigate the issue but if you are a corporate user, it helps to be aware that such attacks do exist. In the interest of security, it is highly recommended to limit outsider access to corporate assets such as laptops and mobile phones. As the old adage goes, better be safe than sorry.
For more details, also refer to the FAQ published by F-Secure linked in the Sources section.