F-Secure researchers found that Intel Active Management Technology (AMT) could allow attackers with physical access to devices to bypass the systems’ BitLocker or BIOS passwords in under a minute. Once the attack succeeds, the machines could be controlled remotely.
Intel AMT
Intel AMT is the software that sits on top of the Intel Management Engine (ME) and is supposed to allow IT administrators to gain out-of-band remote access to computers in a network.
However, as this feature comes enabled by default even on consumer devices, it has worried privacy activists that it can be used as a backdoor or to allow attackers remote access to victims’ machines. This is what prompted some Linux computer vendors to start disabling this functionality, along with the whole Intel ME, on their consumer devices.
Other security researchers also found vulnerabilities in Intel AMT last year, which could have allowed attackers to “access everything,” including memory and encryption keys. Intel released patches then, but it was up to the device makers to send them to their own customers. The vulnerability affected devices back to the first generation of Intel Core, so not all of them were patched.
New AMT Vulnerability
F-Secure researchers found a new vulnerability in AMT that could allow anyone to bypass BitLocker encryption, BIOS password, TPM Pin, and login credentials on most laptops in less than a minute.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, the F-Secure security consultant who discovered the bug.
Normally, when you reboot a machine and try to access the boot menu, you should encounter a BIOS password. However, most users don’t set one. Even if the users do set-up a BIOS password, the attacker can access the Intel Management BIOS Extension (MEBx). This functionality typically comes with the default “admin” password, unless it’s been changed by the PC vendor or the user.
The attacker could then change the MEBx password, enable remote access via AMT, and set the user “opt-in” to “none” in order to compromise the machine. This allows the attacker to control the machine remotely afterwards, as well as access the machine’s network. As a real world example of how this could be used, this could allow, for instance, border agents to gain access to your laptop remotely after they confiscate it temporarily in the airport to check its contents.
F-Secure’s Recommendations
First of all, F-Secure recommends to never leave your laptop unwatched in an insecure location. The company also said that IT departments should either set strong passwords for AMT or, if possible, completely disable it.
It’s starting to look like AMT is not just a headache for consumers—for no good reason, considering they have no use for it—but also a serious issue for enterprise customers. The price they pay for convenience may not be worth the lack of security and the high-risk of compromise Intel ME and AMT seem to provide.
Now that Intel has made a "security-first pledge," perhaps it's also time for the company to take a long, hard look at its Intel ME and AMT functionality and start disabling it on machines by default. This is something that Purism has also asked them to do for some time.
