Intel chip vulnerability lets hackers easily hijack fleets of PCs

Security researchers say exploiting the vulnerability requires little technical expertise, and can result in a hacker taking full control of an affected PC.
Written by Zack Whittaker, Contributor

(Image: file photo)

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The "critical"-rated bug, disclosed by Intel last week, lies in a feature of Intel's Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer's keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser -- accessible even when the remote PC is asleep -- that's protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.

Embedi researchers, credited with finding the bug, explained in a whitepaper posted Friday that a flaw in how the default "admin" account for the web interface processes the user's passwords effectively lets anyone log in by entering nothing at the log-on prompt.

"No doubt it's just a programmer's mistake, but here it is: keep silence when challenged and you're in," said the researchers.


(Image: Intel)

Tenable researchers confirmed the findings in a detailed analysis of the flaw, also posted Friday, saying it was relatively easy to remotely exploit.

Intel's advisory said that systems -- including desktops, laptops, and servers -- dating back as early as 2010 and 2011 and running firmware 6.0 and later are affected by the flaw.

But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers.

Since the disclosure, monitors have seen a spike in probing activity on the two affected ports.


Intel so far hasn't said how many devices are affected.

However, a search on Shodan, the search engine for open ports and databases, shows more than 8,500 devices are vulnerable at the time of writing, with almost 3,000 in the US alone -- but there could be thousands more devices at risk on internal networks.


(Screenshot via Shodan)

In a statement, Intel said that it's working with its hardware partners to address the problem, and "expect[s] computer-makers to make updates available beginning the week of May 8 and continuing thereafter."

So far, Dell, Fujitsu, HP, and Lenovo have all issued security advisories and guidance on when they will roll out fixes to their customers. Consumer devices aren't affected by the bug.

The chipmaker has also published a discovery tool to determine if machines are affected.

Editorial standards