A security vulnerability in Intel’s Active Management Technology (AMT) remote access monitoring and maintenance platform could allow attackers to bypass logins and place a backdoor on a laptop enabling remote access and operation of the machine.
Intel AMT is commonly found on computers using Intel vPro-enabled processors as well as platforms based on some Intel Xeon processors.
Details of the vulnerability – which can lead to a clean device being compromised in under a minute and can bypass the BIOS password, TPM Pin, Bitlocker and login credentials – have been outlined by researchers at F-Secure.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, senior security consultant at F-Secure.
This vulnerability is unrelated to the Spectre and Meltdown security flaws found to be embedded in the fundamental design of processors and which are thought to exist in some form in most Intel CPUs since 1995.
The AMT attack requires physical access to the machine, but the speed at which it can be carried out makes it easily exploitable if the laptop is left unattended.
While setting a BIOS password normally prevents an unauthorised user from booting the device or making low-level changes to it, it doesn’t prevent access to the AMT BIOS extension, allowing an attacker to reconfigure AMT and enable remote exploitation possible if the default password hasn’t been changed.
See also: Cyberwar: A guide to the frightening future of online conflict
From there, the attacker can change the default password, enable remote access and set the AMT’s user opt-in to ‘none’ enabling remote access to the device without knowledge or input from the user – so long as they can put themselves on the same network as the victim. However, it’s theoretically possible to monitor the device from outside the local network via an attacker constructed Client Intiated Remote Access (CIRA) server.
While requiring physical proximity to the target makes the attack more difficult to initiate than a remote attack like a phishing email, it’s not impossible that skilled attackers looking to compromise a particular target could orchestrate a scenario where they could get the brief time with the device they need.
“Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen explained.
It isn’t the first time this sort vulnerability has come to light – another researcher has previously disclosed a similar attack, while CERT-BUND have previously alerted attacks which work much the same way but require USB access to the target device.
To avoid falling victim to this type of attack, F-Secure recommends system provisioning should require the use of a strong password for AMT and that if any password has been set to an unknown value, consider it to be suspect. Meanwhile, end users are recommended to never leave their laptop unmonitored in an insecure location. F-Secure has contacted manufacturers about the issue.
“We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx),” an Intel spokesperson told ZDNet.
“We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Those best configuration practices include running with the least privileged access, keeping firmware, security software and operating systems up to date.”
READ MORE ON CYBER CRIME