Story image

Corporate users warned Intel AMT flaw has 'destructive' potential

17 Jan 18

Intel technology has been thrown in the spotlight again after security researchers found a potentially ‘destructive’ vulnerability in its AMT solution, commonly deployed in corporate devices.

Australian cybersecurity watchdog Stay Smart Online issued an alert yesterday that details a new flaw in Intel’s Active Management Technology, also known as AMT.

The vulnerability allows attackers who gain physical access to a device to bypass BIOS and Bitlocker passwords. The attacker could then gain remote access to the compromised machine.

AMT is software that provides IT teams maintenance and remote access monitoring in order to control device fleets.

The vulnerability was discovered by security firm F-Secure. The company says that anyone who gains physical access to a machine could create a backdoor in less than 30 seconds.

According to F-Secure security consultant Harry Sintonen, the backdoor is simple to exploit and wields destructive potential.

“In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

F-Secure explains that an attacker just need to reboot or turn on the machine and press CTRL-P during the boot up process.

“The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops.”

“The attacker then may change the default password, enable remote access and set AMT’s user opt-in to 'None.' The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.”

Stay Smart Online says that if users do not need AMT, they should disable it in their device’s BIOS immediately.
 
“If you do need it, change the default ‘admin’ password to something that is hard to guess.”

F-Secure adds that organisations should analyse all deployed devices and configure the AMT password. If the password is unknown, the device may be compromised.

“We also recommend corporate laptops are never left out of a user's sight, especially in public places such as airports.”

Sintonen further explains how a potential attack could work:

“You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”

Earlier this month vulnerabilities dubbed ‘Meltdown’ and ‘Spectre’ put AMD, ARM and Intel processors in digital devices including computers, mobile phones, TVs, tablets and routers at risk. The vulnerabilities are not related to the AMT vulnerability.

CERT NZ warned that all devices must be updated to mitigate the vulnerabilities and protect against attacks, which could steal personal information and passwords.

At a CES keynote, Intel CEO Brian Kraznich said that the level of collaboration between industry to address the vulnerabilities has been ‘remarkable’.  

“The best thing users can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available,” he said.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.