Intel AMT

An F-Secure security researcher has found a way to use Intel's Active Management Technology (AMT) to bypass BIOS passwords, BitLocker credentials, and TPM pins and gain access to previously-secured corporate computers.

Only laptops and computers on which Intel AMT has been provisioned (configured) are vulnerable, according to F-Secure security researcher Harry Sintonen, the one who claims to have discovered the issue last July.

Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.

Attackers can boot via MEBx and bypass other login systems

Sintonen says that computers on which AMT has been configured without an AMT password are vulnerable.

He says a malicious actor with access to the device can press CTRL+P during the boot-up process and select the Intel Management Engine BIOS Extension (MEBx) for the boot-up routine, effectively bypassing any previous BIOS, BitLocker, or TPM logins.

A MEBx password is required, but Sintonen says that in most cases companies do not change the default, which is "admin."

The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Attack takes under a minute to perform

Most security experts scoff at the idea of attacks requiring "physical access" to perform and often demean their importance of such issues compared to other security bugs.

But because this attack takes under a minute to perform and configure the device for future remote access, Sintonen says this issue should not be ignored and set aside as non-important.

Sintonen recommends that companies configure an AMT password so attackers wouldn't be able to boot via MEBx and compromise the system. Optionally, unlike the Intel Management Engine (ME), AMT can be disabled, an option that Sintonen also recommends in situations where AMT use is not a corporate policy.

Intel AMT is shipped in various states (enabled or disabled by default) depending on the laptop/desktop OEM's policy. Instructions on how to disable the feature vary from OEM to OEM.

"We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx)," an Intel spokesperson told Bleeping Computer. "We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data."

Article updated with comment from Intel.

Related Articles:

The Intel Microcode Boot Loader Protects Older CPUs From Spectre

Method to View Contact Info on a Locked iOS 12.1 Device Disclosed

Hacker: I'm logged in. New LibSSH Vulnerability: OK! I believe you.

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs