Intel AMT security flaw lets attackers easily bypass laptop passwords

James Marshall
January 13, 2018

Since the exploit can be completed in seconds, this tactic is quite viable.

The attackers can then log into Intel Management Engine BIOS Extension using the default "admin" password (most likely never altered) and change it to whatever they wish.

"This allows an attacker access to configure AMT and makes remote exploitation possible", said Sintonen.

To run an exploit, all an attacker needs to do is power up the target machine and press CTRL+P during boot.

As of now, the only ways of mitigating the danger is to change the AMT password from its default "admin" setting to something harder to guess - or to just disable the feature entirely. "Now the attacker can gain access to the system remotely, as long as they're able to insert themselves onto the same network segment with the victim - enabling wireless access requires a few extra steps".

"The issue potentially affects millions of laptops globally", said F-Secure consultant Harry Sintonen, who discovered the flaw. The researchers note that no other security measures, including local firewalls, BIOS passwords, anti-malware software, or use of a VPN can prevent a compromised system from leaking data, because it's been compromised outside of the Windows environment, in a separate OS that's completely shielded from any attempt to inspect or control the data flowing out of or into it.

Sintonen claimed in the release that the speed in which the attack can be carried out makes it easily exploitable in a so-called "evil maid" scenario, adding that even a minute of distracting a target from their laptop - at an airport or coffee shop for example - is enough to do the damage.

"The attacker can break into your room and configure your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN". Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

F-Secure's Sintonen, however, wasn't the only security researcher to unearth the problem. A similar vulnerability, related to USB provisioning, was previously uncovered by CERT-Bund. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities.

Details of the vulnerability - which can lead to a clean device being compromised in under a minute and can bypass the BIOS password, TPM Pin, Bitlocker and login credentials - have been outlined by researchers at F-Secure. F-Secure has contacted manufacturers about the issue. "Despite there being information available for manufacturers on how to prevent this, manufacturers are still not following best practices, leaving vast numbers of vulnerable laptops out there". However, most users don't set one. "That is why it's important to raise public awareness".

Sintonen offers a couple of recommendations to protect against this exploit. An attacker could then alter this password, giving them ongoing access to the system via AMT.

Intel AMT is shipped in various states (enabled or disabled by default) depending on the laptop/desktop OEM's policy.

F-Secure's video discussing the Intel AMT exploit.

A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

If you're an individual running your own device, change the AMT password to a strong one, even if you don't plan on using AMT. In most cases, a mass reconfiguration effort of affected devices is the only way to deal with AMT issues - not fun for a large, global organization.

Although Intel recommends that suppliers require the BIOS password to provision Intel AMT and has produced a Q&A about security best practices for AMT, F-Secure said this and other Intel guides on AMT security have not had the desired effect on the real-world security of corporate laptops.

Other reports by Click Lancashire

Discuss This Article