Research from the security firm F-Secure has fairly serious implications for any user of PCs that utilizes Intel processors. The research, which can be found in a blog post on F-Secure’s website, discusses a physical exploit that can allow an attacker to input backdoors on laptops in under a minute. The goal of the hack would be to create a situation in which a threat actor can obtain remote access to the machine via this backdoor. The exploit involves Intel’s Active Management Technology (AMT) and was discovered initially by F-Secure’s Senior Security Consultant Harry Sintonen back in July 2017. The cause of the Intel AMT security exploit has to do with the default boot-up process via AMT. (This is not the first Intel AMT security exploit that has been recently discovered.) The F-Secure post explains it as follows:
An attacker starts by rebooting the target’s machine, after which they enter the boot menu… by selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password ‘admin,’ as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to ‘None,’ a quick-fingered cybercriminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they’re able to insert themselves onto the same network segment with the victim.
As some might be thinking, this requires physical access which makes this attack difficult to carry out in practice. Never, ever underestimate the power of social engineering (just ask the legend himself Kevin Mitnick, many of his hacks involved social engineering). You’d be surprised how close to sensitive machines you can get with the proper training in this devious art. This process of inserting a backdoor via AMT is so quick, no more than a minute, that one should not ever write-off this exploit as impossible.
So how do we respond to the threat of this particular exploit? One rather obvious step is educating yourself on social engineering methods and practicing better physical security. This is a given, however, and additionally, this does not directly address the issue of the AMT bootup exploit.
The F-Secure blog post had this to say, and it seems to be the most sound advice one can give:
The system provisioning process needs to be updated to include setting a strong password for AMT, or disabling it completely if possible. IT should also go through all currently deployed machines, and organize the same procedure for them.
Patching this Intel AMT security exploit will be a massive undertaking for IT departments, but at least there are viable solutions to a rather concerning problem.
Photo credit: Flickr / Ultra Mendoza