An F-Secure security researcher has found a way to use Intel's Active Management Technology (AMT) to bypass BIOS passwords, BitLocker credentials, and TPM pins and gain access to previously-secured corporate computers.
Only laptops and computers on which Intel AMT has been provisioned (configured) are vulnerable, according to F-Secure security researcher Harry Sintonen, the one who claims to have discovered the issue last July.
Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.
Attackers can boot via MEBx and bypass other login systems
Sintonen says that computers on which AMT has been configured without an AMT password are vulnerable.
He says a malicious actor with access to the device can press CTRL+P during the boot-up process and select the Intel Management Engine BIOS Extension (MEBx) for the boot-up routine, effectively bypassing any previous BIOS, BitLocker, or TPM logins.
A MEBx password is required, but Sintonen says that in most cases companies do not change the default, which is "admin."
Attack takes under a minute to perform
Most security experts scoff at the idea of attacks requiring "physical access" to perform and often demean their importance of such issues compared to other security bugs.
But because this attack takes under a minute to perform and configure the device for future remote access, Sintonen says this issue should not be ignored and set aside as non-important.
Sintonen recommends that companies configure an AMT password so attackers wouldn't be able to boot via MEBx and compromise the system. Optionally, unlike the Intel Management Engine (ME), AMT can be disabled, an option that Sintonen also recommends in situations where AMT use is not a corporate policy.
Intel AMT is shipped in various states (enabled or disabled by default) depending on the laptop/desktop OEM's policy. Instructions on how to disable the feature vary from OEM to OEM.
"We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx)," an Intel spokesperson told Bleeping Computer. "We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data."
Article updated with comment from Intel.
Comments
pccobbler - 6 years ago
Users of enterprise laptops are pretty much stuck with AMT, but as the following Intel vPro Expert Center link states, adding an Ethernet card, whether Intel or not, to a desktop PC prevents the system from supporting Intel AMT out-of-band. And if an individual buys Intel hardware and does not intend to manage it via AMT, the processor should be one that does not support vPro. https://communities.intel.com/thread/114211
Occasional - 6 years ago
Thanks CC for not following the "...scoff at the idea of attacks requiring "physical access" to perform and often demean their importance of such issues compared to other security bugs..." herd.
A number of points worth considering.
"...malicious actor with access to the device can..." Access to the device - that's all, not account credentials, or any other access or privileges.
To use just one scenario example: a user leaves a laptop, shutdown, Kensington-locked, with BitLocker assurance, for a between session break. User returns to find the laptop just as he or she left it - apparently.
That's a valuable opening to a preselected high-value target network, even one that's air-gapped. Maybe they trace the breach back to the employee (after the damage is done); then the trail goes cold.
That part about leaving the MEBx (or any), default password as "admin" - enterprise IT departments that are still doing that, while spending upwards of 20% of their budgets on cybersecurity, deserve what they get; but do the enterprise partners, clients, customers...?
Then there's this: "Sintonen recommends...". Is this another case, like Meltdown/Spectre, where a researcher finds a vulnerability, that has apparently not been seen by bad actors, until they get to learn of it - by it being made public?
NickAu - 6 years ago
" Most security experts scoff at the idea of attacks requiring "physical access" to perform and often demean their importance of such issues compared to other security bugs."
When it comes to high value targets physical access is as dangerous as any other exploit and shouldn't be ignored Govts Business and the military are all at risk, there are lots of valid reasons for an undercover operative to be in the Generals, CEO's or Ministers/Secretaries office or outer office and if it only takes a minute or 2.
SuperSapien64 - 6 years ago
Ironically I wouldn't be surprised if AMT was partly designed as back door for the government and now its coming back to bite them in the a**.