sb-eu logo
Story image

Corporate users warned Intel AMT flaw has 'destructive' potential

17 Jan 2018

Intel technology has been thrown in the spotlight again after security researchers found a potentially ‘destructive’ vulnerability in its AMT solution, commonly deployed in corporate devices.

Australian cybersecurity watchdog Stay Smart Online issued an alert yesterday that details a new flaw in Intel’s Active Management Technology, also known as AMT.

The vulnerability allows attackers who gain physical access to a device to bypass BIOS and Bitlocker passwords. The attacker could then gain remote access to the compromised machine.

AMT is software that provides IT teams maintenance and remote access monitoring in order to control device fleets.

The vulnerability was discovered by security firm F-Secure. The company says that anyone who gains physical access to a machine could create a backdoor in less than 30 seconds.

According to F-Secure security consultant Harry Sintonen, the backdoor is simple to exploit and wields destructive potential.

“In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

F-Secure explains that an attacker just need to reboot or turn on the machine and press CTRL-P during the boot up process.

“The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops.”

“The attacker then may change the default password, enable remote access and set AMT’s user opt-in to 'None.' The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.”

Stay Smart Online says that if users do not need AMT, they should disable it in their device’s BIOS immediately.   “If you do need it, change the default ‘admin’ password to something that is hard to guess.”

F-Secure adds that organisations should analyse all deployed devices and configure the AMT password. If the password is unknown, the device may be compromised.

“We also recommend corporate laptops are never left out of a user's sight, especially in public places such as airports.”

Sintonen further explains how a potential attack could work:

“You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”

Earlier this month vulnerabilities dubbed ‘Meltdown’ and ‘Spectre’ put AMD, ARM and Intel processors in digital devices including computers, mobile phones, TVs, tablets and routers at risk. The vulnerabilities are not related to the AMT vulnerability.

CERT NZ warned that all devices must be updated to mitigate the vulnerabilities and protect against attacks, which could steal personal information and passwords.

At a CES keynote, Intel CEO Brian Kraznich said that the level of collaboration between industry to address the vulnerabilities has been ‘remarkable’.  

“The best thing users can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available,” he said.

Story image
Women in tech: Equality journey not over
The idea of gender equality represents more than just physical bodies through doors. It is also the notion of perceptions, feelings, stereotypes and opportunity.More
Story image
Organisations investing significant time modifying web application firewalls to keep ahead of cybersecurity threats
"The sheer amount of traffic and potential threats can ensnare resources and impact the ability to introduce greater precision to those key systems."More
Story image
Microsoft, Facebook and PayPal most impersonated brands during phishing attacks
Microsoft has maintained its position as the brand most often found in phishing emails, followed by Facebook and PayPal.More
Story image
Jetstack's new flagship product brings security to cloud native platforms
“With Jetstack Secure our customers can see a detailed view of each cluster and an instant visual status of all workload certificates, including their association with Kubernetes resources."More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
How to stay ahead of the next cyber breach
With so many people working from home, the corresponding surge in app usage, unmanaged devices, web traffic and accessing internal resources is making security a much trickier prospect.More