Intel AMT security into question, business laptops are at risk

F-Secure has identified a problem with the security of Intel AMT (Active Management Technology) is used in millions of business laptops around the world. A hacker who has physical access to the device, you may first hack into it in less than 30 seconds-without having to implement credential (password to the BIOS, Bitlockera, TPM PIN), to then gain remote access to a laptop by Intel AMT.

Access to the device using the Intel AMT is surprisingly easy, which can be a big threat to its users. In practice, the hacker is able to exercise full control over your work laptop of an employee, even though this is used for all safety measures, warns Harry Sintonen, senior consultant. F-Secure security, who discovered the problem.

Intel AMT is a solution for remote management and monitoring of the enterprise-class personal computer designed to provide IT departments or service providers better control over the devices. Technology commonly used in business laptops it reached in the past security problems. However, the ease with which you can now get access to the device without the use of even a single line of code makes the hazard differs significantly from the previous. The essence of the problem is that you set a password to the BIOS, which usually prevents unauthorized user to run the equipment, or the introduction of low-level changes, does not prevent unauthorized access to the AMT BIOS Extension (MEBx).

A hacker could configure the AMT so that you can remote control over your

To gain access to the laptop, you need to:

  • restart the device and press CTRL-P during boot.
  • log on to the Intel Management Engine BIOS Extension (MEBx), with a password of "admin", that is set as the default in most business laptops.
  • change the default password, activate the remote access and disable the need for consent on the remote session by changing the "AMT user opt-in" to "none".

From this point, the hacker can gain remote access to the system through the network wired or wireless – provided, that is logged on to the same network, which uses a victim, but access to the device is also possible from outside the network through managed by CIRA Server uploaded.

The speed at which you can perform the attack, making it easily feasible in the scenario, the Evil Maid:

Assume that you have a situation that a company employee leaves your laptop in a hotel room and coming out. Hacker breaks into the room and change the settings on your computer in less than a minute, and can gain access to the desktop, when a worker uses a laptop by connecting to a wireless network. Because the device connects to the corporate network (VPN), the hacker can gain access to enterprise resources. Just a minute of carelessness at the airport or in the Café, to a hacker took control of the laptop-stresses Harry Sintonen from F-Secure.

Sintonen discovered the problem in July 2017 and points out that another researcher also drew attention to this threat in a recent speech. It is particularly important to organizations learned about the problem and work proactively, before they start to use cyber criminals. He says similar previously reported threat, Sintonen organization of CERT-Bund, but this was the device configuration changes by using a USB drive.  The problem affects most laptops that support Intel Management Engine/Intel AMT and is not associated with the recently disclosed vulnerabilities Spectre and Meltdown.

Intel recommends that manufacturers require a password the BIOS to configure the Intel AMT. Available is a document with recommendations to take appropriate security measures, prepared for this purpose by Intel, with December 2017. " Security Best Practices of Intel Active Management Technology Q & A. "

The recommendations of the

For end users:

  • Do not leave your laptop unattended, especially in public places.
  • Contact IT is recommended in the company in order to set up your device.
  • In the case of your own device, you must set strong password for AMT, even if you don't plan to use this technology. If you have the option to disable AMT, you might want to take advantage of it. If the password is already set to an unknown value, the device may have been attacked in the past.

For organizations:

  • It is recommended that you change the process to configure systems to include setting a strong password AMT or AMT exemption, if such an option is available.
  • You must configure the AMT password in all currently used devices. If the password is already set to an unknown value, you should treat the device as podejrzanei security incident response procedure.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.