Finnish cyber security company F-Secure has claimed it has found a security flaw in Intel's Active Management Technology (AMT) which can allow a hacker to compromise a work laptop within seconds.
Finnish cyber security company F-Secure has claimed it has found a security flaw in Intel’s Active Management Technology (AMT) which can allow a hacker to compromise a work laptop within seconds. AMT is Intel’s proprietary solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The company said that in July 2017 Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered unsafe and misleading default behaviour within Intel’s AMT. “AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen’s discovery surprised even him,” the company said in a blog post. “The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen said.
The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place.
An attacker can reboot the target’s machine and enter the boot menu. In a normal situation, an intruder would be stopped here — as they won’t know the BIOS password, they can’t really do anything harmful to the computer. “In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password ‘admin’, as this hasn’t most likely been changed by the user,” the company said.
By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they are able to insert themselves onto the same network segment with the victim. The successful exploitation of the security issue requires physical proximity.