Finish security vendor F-Secure has warned of a vulnerability in Intel AMT that leaves laptops open to attack.
The Intel AMT vulnerability requires an attacker have physical access to a laptop. They can then bypass security measures in the BIOS, Bitlocker and TPM. This allows them to install a backdoor access programme so that they can remotely access the laptop later.
According to Harry Sintonen, Senior Security Consultant, F-Secure, the security issue: “is almost deceptively simple to exploit, but it has incredible destructive potential. In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”
How does it work?
Once an attacker physically has access to a device they power it on or reboot if already on. During the boot phase they press CTRL-P. This allows the attacker to log into the Intel AMT BIOS Extension (MEBx). The default password is set to “admin” and Sintonen warns that it is unlikely it will have changed on many machines.
Once logged in the attacker is able to set a new password preventing anyone else accessing the BIOS. They can also configure remote access and set the AMT user opt-in to “None”. This now means that the hacker can connect to the device if they are on the same network. In a corporate setting this would allow an insider to gain access to many devices without anyone knowing.
There are several ways this can work outside of the corporate environment. Laptops left in hotel rooms that could be attacked by a member of staff or someone with a master key. It could also happen in busy airline lounges. Business travellers regularly leave laptops to get food, drink and use the bathroom. Once infected, the victim can be attacked using the hotel or airline lounge network. They are also at risk when they visit coffee shops or use public networks.
What does this mean?
It is easy to dismiss attacks that require physical access as hard to execute. However, business travellers regularly leave their devices unattended. Hotel rooms, airline lounges and even their desk at work are all places where people feel safe. While the device needs to be rebooted for this to work, users have become used to their laptops resetting due to automated update issues and software bugs.
A user returning to their desk to find the laptop has restarted is unlikely to think, in the first instance, that they might have been hacked. The same is true in airline lounges and hotel rooms.
Intel has not issued a software fix for this attack as it is part of the default behaviour of the Intel AMT software. The issue is arguably not the way Intel AMT works but the failure to change the default “admin” password. Sintonen does say that Intel has updated its advice to user of Intel AMT with an advisory titled “Security Best Practices of Intel Active Management Technology Q&A.”