For those who don’t know, Intel AMT allows a system administrator to control the complete fleet of systems with ease. Some of you might be surprised to find that AMT is not tied to the OS and it works even when the computer is turned off. The flaw being talked about here can allow an attacker to backdoor a laptop in less than 30 seconds.
What is new Intel AMT flaw?
In a usual scenario, the BIOS password prevents unauthorized users from accessing the low-level components of a device. However, due to the discovered issue, an attacker doesn’t need to enter BIOS password to configure AMT.
That’s not all. Due to insecure default configuration in BIOS and AMT’s BIOS extension, an attacker with physical access can configure AMT using default password ‘admin’. After doing so, the device could be accessed remotely by connecting to the same network or an attacker can access it using his own server.
The attack process follows these steps:
- Assailant rebooting of the target machine by hitting CTRL-P button during booting. This opens AMT extension window.
- Logging in using default ‘admin’ password by attacker.
- AMT requests a new password, which could be set for remotely accessing the machine.
- Attacker configures AMT to allow remote access. The user consent option for access can be disabled for total control. Wireless access can be enabled as well.
- As long as attacker remains connected to the same network, he can control the device.
- Using the Intel Manageability Developer Tool Kit’s Manageability Commander Tool, the actual operations can be performed using VNC.
In a real-world scenario, an attacker can distract the target for a few seconds and provision the attack using a programmed USB stick.
It’s worth noting that security measures like local firewall, disk encryption, antimalware, or VPN are unable to prevent this exploitation. This is probably due to the level of access Intel AMT possesses.
If we talk in strict computer security terms, it’s not a vulnerability. Instead, it’s a combination of an insecure default configuration, default password, and unexpected behavior.
To mitigate this issue, organizations can adjust their settings and use a strong AMT password or disable it altogether. It can also be done while ordering the new devices. While inspection, if a PC’s AMT password is found to be already set to an unknown value, it should be treated with suspicion and appropriate steps should be taken.
F-Secure has notified all relevant OEMs and Intel about the issue. The end users should read Intel’s AMT guide carefully and avoid taking unnecessary risk.