Intel AMT Security Issue Lets Attackers Bypass BIOS and BitLocker Passwords

Intel AMT Security Issue Lets Attackers Bypass BIOS and BitLocker Passwords

F-Secure highlights another critical Intel security issue

The attacker does need to have physical access to the laptop but there are several scenarios where this could prove to be a trivial issue.

F-Secure said once an attacker had the chance to reconfigure AMT (for which he would initially need physical access to the device in question), the device could be fully controlled remotely by connecting to the same wireless or wired network as the user.

He continued: "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures".

Last month, Intel issued a 4-page PDF, Security Best Practices of Intel Active Management Technology Q&A, that addresses the MEBx default password problem, amongst other security risks. However, security experts have slammed the software in the past, pointing out security weaknesses. It warned: "The weakness can be exploited in mere seconds without a single line of code".

The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension.

While requiring physical proximity to the target makes the attack more hard to initiate than a remote attack like a phishing email, it's not impossible that skilled attackers looking to compromise a particular target could orchestrate a scenario where they could get the brief time with the device they need.

To run an exploit, all an attacker needs to do is power up the target machine and press CTRL+P during boot.

This would allow any attacker to log into Intel Management Engine BIOS Extension (MEBx) using the default password "admin", as this default is probably unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT's user opt-in to "None". The attacker can now gain remote access to the system from both wireless and wired networks, as long as they're able to insert themselves onto the same network segment with the victim.

"Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop".

Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.

Sintonen further pointed out that even a minute of diverting the attention of the target from their laptop, say at an airport or coffee shop, is enough to do the damage.

F-Secure has contacted manufacturers about the issue.

The problem potentially affects millions of laptops globally. A similar vulnerability has also been previously pointed out by CERT-Bund but with regards to USB provisioning, Sintonen said. Then in November of 2017, Intel to PC vendors for additional management firmware vulnerable to such attacks-technologies embedded in most Intel-based PCs shipped since 2015.

F-Secure made a number of recommendations. Most AMT-capable devices, F-Secure notes, don't use the feature in the first place.

Although solid operations security is the first step (don't ever leave your laptop unwatched in an insecure location!), there are some basic safeguards all IT departments should implement.

Altre Notizie