Skip to main content

Intel AMT Allows BitLocker Bypass In Under A Minute

F-Secure researchers found that Intel Active Management Technology (AMT) could allow attackers with physical access to devices to bypass the systems’ BitLocker or BIOS passwords in under a minute. Once the attack succeeds, the machines could be controlled remotely.

Intel AMT

Intel AMT is the software that sits on top of the Intel Management Engine (ME) and is supposed to allow IT administrators to gain out-of-band remote access to computers in a network.

However, as this feature comes enabled by default even on consumer devices, it has worried privacy activists that it can be used as a backdoor or to allow attackers remote access to victims’ machines. This is what prompted some Linux computer vendors to start disabling this functionality, along with the whole Intel ME, on their consumer devices.

Other security researchers also found vulnerabilities in Intel AMT last year, which could have allowed attackers to “access everything,” including memory and encryption keys. Intel released patches then, but it was up to the device makers to send them to their own customers. The vulnerability affected devices back to the first generation of Intel Core, so not all of them were patched.

New AMT Vulnerability

F-Secure researchers found a new vulnerability in AMT that could allow anyone to bypass BitLocker encryption, BIOS password, TPM Pin, and login credentials on most laptops in less than a minute.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, the F-Secure security consultant who discovered the bug.

Normally, when you reboot a machine and try to access the boot menu, you should encounter a BIOS password. However, most users don’t set one. Even if the users do set-up a BIOS password, the attacker can access the Intel Management BIOS Extension (MEBx). This functionality typically comes with the default “admin” password, unless it’s been changed by the PC vendor or the user.

The attacker could then change the MEBx password, enable remote access via AMT, and set the user “opt-in” to “none” in order to compromise the machine. This allows the attacker to control the machine remotely afterwards, as well as access the machine’s network. As a real world example of how this could be used, this could allow, for instance, border agents to gain access to your laptop remotely after they confiscate it temporarily in the airport to check its contents.

F-Secure’s Recommendations

First of all, F-Secure recommends to never leave your laptop unwatched in an insecure location. The company also said that IT departments should either set strong passwords for AMT or, if possible, completely disable it.

It’s starting to look like AMT is not just a headache for consumers—for no good reason, considering they have no use for it—but also a serious issue for enterprise customers. The price they pay for convenience may not be worth the lack of security and the high-risk of compromise Intel ME and AMT seem to provide.

Now that Intel has made a "security-first pledge," perhaps it's also time for the company to take a long, hard look at its Intel ME and AMT functionality and start disabling it on machines by default. This is something that Purism has also asked them to do for some time.

  • Yuka
    "First of all, F-Secure recommends to never leave your laptop unwatched in an insecure location. The company also said that IT departments should either set strong passwords for AMT or, if possible, completely disable it."

    Welp, there goes remote working from companies!

    THANKS INTEL.
    Reply
  • Footloose
    You might also want to get your facts straight next about AMT being present in consumer based systems because it most certainly is not. The AMT features have always been and continue to be only on corporate based chipsets.
    Reply
  • mrmez
    Rough week for Intel.

    Reckon theres a few more of these before the dust settles.
    Reply
  • TJ Hooker
    20587791 said:
    "First of all, F-Secure recommends to never leave your laptop unwatched in an insecure location. The company also said that IT departments should either set strong passwords for AMT or, if possible, completely disable it."

    Welp, there goes remote working from companies!

    THANKS INTEL.
    Remote desktop doesn't use AMT, and thus has nothing to do with this...
    Reply
  • Yuka
    20595376 said:
    20587791 said:
    "First of all, F-Secure recommends to never leave your laptop unwatched in an insecure location. The company also said that IT departments should either set strong passwords for AMT or, if possible, completely disable it."

    Welp, there goes remote working from companies!

    THANKS INTEL.
    Remote desktop doesn't use AMT, and thus has nothing to do with this...

    And remote desktop is not what I'm talking about.

    Cheers!
    Reply
  • mras
    Intel Amt is only enabled, on Q based intel chipsets, as FOOTLOOSE already said. It has _ALLWAYS_ been disabled by default, on the roughly 200 different machines I've iver come in contact with. The default password is indeed not very secure, but neither is the default password on any devices, and again, its not accessible by default.
    Take a look at 0:42, that splashing border effect, is AMT noticing users that AMT is active. If people dont notice such..., what will they notice?
    And yes, of cause, if you leave your computer in hands of others, they can access vital parts, like reseting your bios password, which afaik, isn't that hard. It's neither hard to hotwire the AMT chip, so you can set a new password, but you need physical access to the machine, knowledge, and time. Most devices has this form of 'security flaw'.
    AMT is only reachable on local network port. AMT doesn't start a remote server up, that others can reach from internet, unless doing so intentionally.
    Intel's ME utility on Windows, warns users, if someone is trying to access, even with or without success, on top on that previously splash screen shown.

    AMT can best be compared to iKVM chip.
    If you leave that in others hands, with enough time, it will be exact same.

    This story more shows how desperately firms are seeking for qualified personal, when this 'storm in a glass of water' can get any attention, by anyone.

    FSecure will for sure not ever get my application after this video!
    Are you sure you want to give them yours?
    Reply
  • ravenise
    Is it any wonder why Samsung recently surpassed Intel as the number one chip manufacture in the world? This kind of thing could cost people their lives; critical infrastructure, hospitals, dams, nuclear facilities are all potentially at risk. I imagine the ransomware could come at a cost with the right exploit. Siemens controllers in Fukushimas Nuclear facilities were reportedly infected with Stuxnet causing the cooling systems to malfunction. Symantec confirmed over 60 infections Japan just prior to the event. But who needs Stuxnet when you got something 1000x more dangerous? Something certainly not used or wanted by 99.99999% of the population; certainly not without the ability to securely disable its remote access functions & OOBE protocols. Are you going to sit back and wait for Intel to release a patch for your firmware while your nuclear reactors are on the verge of full blown meltdown? Too little, too late. What is Intel going to do about it? What are you going to do about it? This needs an off switch, and not just for the NSA.
    Reply