Intel AMT security loophole could allow hackers to seize control of laptops

Researchers at F-Secure have warned that laptops can potentially be vulnerable to an attack that can be carried out in under a minute.
Written by Danny Palmer, Senior Writer

Video: Why microprocessor systems' architecture needs to go open-source

A security vulnerability in Intel's Active Management Technology (AMT) remote access monitoring and maintenance platform could allow attackers to bypass logins and place a backdoor on a laptop, enabling remote access and operation of the machine.

Intel AMT is commonly found on computers with Intel vPro-enabled processors as well as systems based on some Intel Xeon processors.

Details of the vulnerability -- which can lead to a clean device being compromised in under a minute and can bypass the BIOS password, TPM Pin, BitLocker and login credentials -- have been outlined by researchers at F-Secure.

"The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual's work laptop, despite even the most extensive security measures," said Harry Sintonen, senior security consultant at F-Secure.

This vulnerability is unrelated to the Spectre and Meltdown security flaws found to be embedded in the fundamental design of processors and which are thought to exist in some form in most Intel CPUs since 1995.

The AMT attack requires physical access to the machine, but the speed at which it can be carried out makes it easily exploitable if the laptop is left unattended.


Attackers with physical access to machines that use Intel's AMT can compromise them in under a minute.

Image: iStock

While setting a BIOS password normally prevents an unauthorised user from booting the device or making low-level changes to it, it doesn't prevent access to the AMT BIOS extension, allowing an attacker to reconfigure AMT and enable remote exploitation if the default password hasn't been changed.

See also: Cyberwar: A guide to the frightening future of online conflict

From there, the attacker can change the default password, enable remote access and set the AMT's user opt-in to 'none', enabling remote access to the device without the knowledge of, or input from, the user -- so long as they can put themselves on the same network as the victim. However, it's theoretically possible to monitor the device from outside the local network via an attacker-constructed client initiated remote access (CIRA) server.

While requiring physical proximity to the target makes the attack more difficult to initiate than a remote attack such as a phishing email, it's not impossible that skilled attackers looking to compromise a particular target could orchestrate a scenario where they could get the brief time with the device they need.

"Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time -- the whole operation can take well under a minute to complete," Sintonen explained.

It isn't the first time this sort vulnerability has come to light: another researcher has previously disclosed a similar attack, while CERT-BUND have also discovered attacks that work much in the same way, but require USB access to the target device.

See also: Incident response policy (free PDF)

To avoid falling victim to this type of attack, F-Secure recommends system provisioning should require the use of a strong password for AMT and that if any password has been set to an unknown value, consider it to be suspect. Meanwhile, end users are recommended to never leave their laptop unmonitored in an insecure location. F-Secure has contacted manufacturers about the issue.

"We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx)," an Intel spokesperson told ZDNet.

"We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Those best configuration practices include running with the least privileged access, keeping firmware, security software and operating systems up to date."

Related coverage

Meltdown and Spectre: The looming death of security (and what to do about it)

These latest flaws show once again that security is a mirage. It's time for a better approach.

ADT acquires Datashield, aims to blend physical and cyber security

The bet is that enterprises will use the same company to protect their physical locations to secure networks too.

Here's a look at the top 2018 strategic IT budget priorities: AI, IoT, conversational systems, security everywhere

Companies will be building the foundation for artificial intelligence, analytics, IoT, digital twins, and automated systems in 2018.


Editorial standards