Subscribe

Down with AMT? Yeah, you know me —

Researcher finds another security flaw in Intel management firmware [Updated]

Active Management Technology defaults allow anyone to take control of many PCs.

-

Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware—remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. But Intel says this is basically PC manufacturers' fault for not properly protecting the configuration for AMT in BIOS setup menus.

Further Reading

Here’s how, and why, the Spectre and Meltdown patches will hurt performance

Intel had already found other problems with AMT, announcing last May there was a flaw in some versions of the firmware that could "allow an unprivileged attacker to gain control of the manageability features provided by these products." Then in November of 2017, Intel pushed urgent security patches to PC vendors for additional management firmware vulnerable to such attacks—technologies embedded in most Intel-based PCs shipped since 2015.

Further Reading

PC vendors scramble as Intel announces vulnerability in firmware [Updated]

But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx).

This boot menu could allow an attacker to get remote access to your notebook or desktop.
This boot menu could allow an attacker to get remote access to your notebook or desktop.
Dell

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin.” The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they’re able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

F-Secure's video discussing the Intel AMT exploit.

The attack requires physical access. But the amount of time required to execute the attack is so short that even a notebook or desktop computer left unattended for a few minutes could be compromised in what is referred to by security researchers as an "evil maid" attack—or in this case, an evil barista, co-worker, fellow airline or train passenger, or anyone else with a few minutes of unhindered access to the computer. The remote access is limited to whatever network the targeted computer connects to, but that can include wireless networks.

Late last month, Intel issued guidelines on best practices for configuring AMT to prevent these and other types of AMT-based attacks on PCs. In the "Q&A" document, Intel acknowledged the problem, but put the onus on PC manufacturers for not properly following Intel's advice:

If the Intel MEBx default password was never changed, an unauthorized person with physical access to the system could manually provision Intel AMT via the Intel MEBx or with a USB key using the default password. If the system’s manufacturer has followed Intel’s recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated.

Sintonen said that all the laptop computers he had tested so far were vulnerable to the attack.

Update: An Intel spokesperson responded to F-Secure's post, e-mailing the following statement to Ars:

We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx). We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data.

 

Listing image by Getty Images

Sean Gallagher Sean was previously Ars Technica's IT and National Security Editor, and is now a Principal Threat Researcher at SophosLabs. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.

Channel Ars Technica

Related Stories

    Today on Ars