Intel AMT security flaw lets attackers easily bypass laptop passwords

Intel is having a rough start to the year. Following the Meltdown and Spectre fiasco that is ongoing, F-Secure is piling on more bad news, saying Intel's Active Management Technology (AMT) gives attackers an easily exploitable backdoor into potentially millions of laptops.

AMT is Intel's proprietary solution to allow IT admins remote access monitoring and maintenance of corporate-grade systems. It is commonly found on business laptops, particularly those with Intel vPro processors. AMT has had its share of security issues in the past, but this new one is arguably the most concerning issue yet.

"The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures," said Harry Sintonen, senior security consultant at F-Secure.

It doesn't take long to exploit the vulnerability, which is part of what makes this especially concerning. In a matter of seconds, an attacker can gain access to an Intel AMT-enabled laptop, even if there's a BIOS password in place. Bitlocker passwords, TPM Pins, and login credentials are no help, either.

An attacker starts by rebooting a target's machine, and then entering the boot menu. Normally this is where an intruder would hit a brick wall if they didn't know the BIOS password. But by selecting Intel's Management Engine BIOS Extension (MEBx), the attacker can log in using the default password "admin," provided it wasn't changed by the user.

"By changing the default password, enabling remote access and setting AMT’s user opt-in to 'None', a quick-fingered cyber criminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they’re able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)," SIntonen explains.

The threat is somewhat mitigated by requiring physical access to a target machine, though Sintonen lays out one possible scenario that isn't far-fetched. In his example, two attackers would work together against a target they wish to exploit. They would do this by approaching the potential victim in a public place, like an airport or hotel lobby, and engage in an "evil maid" scenario.

"Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time—the whole operation can take well under a minute to complete,” Sintonen says.

Sintonen offers a couple of recommendations to protect against this exploit. One is to set a strong password for AMT. The other is to disable it completely.

Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).