Intel AMT security locks bypassed on corp laptops – fresh research
Easy as A, B, CTRL+P
Updated Security shortcomings in Intel's Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers.
Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 seconds or so, according to security biz F-Secure. The issue, which requires physical access to targeted computer to exploit, is unrelated to the recent Spectre and Meltdown vulnerabilities.
The problem potentially affects millions of laptops globally.
AMT offers remote-access monitoring and maintenance of corporate-grade personal computers, allowing remote management of assets. Shortcomings in the tech have been discovered before (examples here and here) but the latest flaw is nonetheless noteworthy because of the ease of exploitation. "The weakness can be exploited in mere seconds without a single line of code," F-Secure reported.
Setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.
To sidestep the password prompts, all an attacker needs to do is power up the target machine, and press CTRL+P during boot. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password "admin", as this is most likely unchanged on most corporate laptops. The attacker would then be free to change the default password, enable remote access, and set AMT's user opt-in to "None".
At this point, the crook would be able to gain remote access to the system as long as they're able to insert themselves onto the same network segment as the victim's machine. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.
How to remote hijack computers using Intel's insecure chips: Just use an empty login stringREAD MORE
The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, the senior security consultant at F-Secure who came across the oversight. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called "evil maid" scenario. "You leave your laptop in your hotel room while you go out for a drink," he said. "The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources."
Laptop hijackings in an airport or coffee shop may also be possible in cases where a mark either leaves their system unattended or is distracted for a minute or two, perhaps by the accomplice of the hacker.
Sintonen and his colleagues at F-Secure have come across the issue repeatedly since early summer last year. A similar vulnerability, related to USB provisioning, was previously uncovered by CERT-Bund. The issue highlighted by F-Secure is distinct from that and other recent problems, the company confirmed, and relates to the insecure configuration and deployment of Intel AMT.
A large part of the problem is that enterprises are not following Intel's guidance in practice, said F-Secure, adding that it was going public in order to draw attention to the issue.
"We discovered the issue this summer, and since discovering it, we have found it in thousands of laptops," F-Secure told El Reg. "Despite there being information available for manufacturers on how to prevent this, manufacturers are still not following best practices, leaving vast numbers of vulnerable laptops out there. Organisations and users are left to protect against this themselves, but most don’t realise this is a problem. That is why it's important to raise public awareness."
F-Secure's research indicates that some system manufacturers were not requiring a BIOS password to access MEBx. As a result, an unauthorised person with physical access to a computer in which access to MEBx is not restricted, and in which AMT is in factory default, could potentially alter its AMT settings.
El Reg understands that Intel began telling systems manufacturers to provide a system BIOS option to disable USB provisioning and to set the value to disable by default as far back as 2015. This guidance (PDF) was updated and reiterated last November.
F-Secure reports that despite all this guidance, insecure Intel AMT setups remain widespread:
While Intel has written extensive guides on AMT, they have not had the desired impact on the real world security of corporate laptops.
The issue affects most, if not all, laptops that support Intel Management Engine/Intel AMT. Chipzilla advises vendors to require the BIOS password when rolling out AMT. However, many device manufacturers do not follow this advice.
F-Secure recommends enterprises adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available. Below is a video by F-Secure on its findings... ®
Updated to add
A spokesperson for Intel has been in touch to tell us: “We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx).
"We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data.”
Sponsored: Becoming a Pragmatic Security Leader