Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.
F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.
The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” says Harry Sintonen, who investigated the issue in his role as senior security consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”
Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.
The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent unauthorised access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.
Although the initial attack requires physical access, Harry explains that the speed with which it can be carried out makes it easily exploitable in a so-called ‘evil maid’ scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Harry points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.
The issue affects most, if not all laptops that support Intel Management Engine/Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.
To end users
- Never leave your laptop unwatched in an insecure location such as a public place.
- Contact your IT service desk to handle the device.
- If you’re an individual running your own device, change the AMT password to a strong one, even if you don’t plan on using AMT. If there’s an option to disable AMT, use it. If the password is already set to an unknown value, consider the device suspect.
- Adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available.
- Go through all currently deployed devices and configure the AMT password. If the password is already set to an unknown value consider the device suspect and initiate incident response procedure.