Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute

Researchers say an unprotected Management Engine BIOS Extension can allow an attacker the ability to configure Intel’s AMT feature for remote access by a hacker.

Researchers have found a loophole in Intel processors that allow an attacker to bypass logins and place backdoors on laptops, allowing adversaries remote access to laptops. Researchers at F-Secure, that first identified the attack strategy, say the loophole can be exploited in less than one minute.

The technique requires attackers to have physical access to computers and also assumes the target has not configured their system to protect the Intel Management Engine BIOS Extension (MEBx) account on PCs that support Intel’s Active Management Technology (AMT).

AMT is Intel’s remote maintenance feature used on Intel vPro-enabled and Xeon processors. MEBx is a BIOS extension used to manually configuring the AMT service. When configured properly, MEBx is password protected.

Researchers at F-Secure, who outlined their research in blog post Friday, said typically users don’t change the MEBx password from the default password “admin”.

“The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place,” F-Secure wrote.

The attack starts with a reboot the target’s laptop into the PC’s boot menu. Typically, an adversary would not be able to bypass a BIOS password, stopping the attack in its tracks, said researchers.

“In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password ‘admin,’ as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to ‘None’, a quick-fingered cyber criminal has effectively compromised the machine,” F-Secure wrote.

This allows the attacker to configure the targeted laptop for remote access later. The one caveat, in order for the attacker to access the laptop remotely it must be able to “insert themselves onto the same network segment with the victim,” according to the research. “Enabling wireless access requires a few extra steps,” they said.

Researchers acknowledge the physical proximity required in the attack limits its potential threat. However, F-Secure researcher Harry Sintonen said there are scenarios where a mix of social engineering combined with the short time needed to conduct the hack can leave some vulnerable.

“Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen said.

Intel has responded to F-Secure’s research stating publicly it can’t help it if “some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx).”

Justin Jett, director of audit and compliance for Plixer, a network traffic analytics firm, said attacks utilizing this method could be effective.

“The Intel AMT security issue is very feasible. Rogue employees who have access to many computers in a corporation and who share the same network space as their colleagues, could take advantage of this vulnerability,” Jett said.

He said the loophole could be closed with a BIOS firmware update to prevent circumventing normal BIOS protocols. “The main objective of organizations in the meantime should be to update systems so they are not using the default password, and to review network traffic analytics data for connections over the Intel AMT ports.”

F-Secure recommends following Intel’s best practices for the AMT feature (PDF) or disabling it completely.

Concerns over the Intel Management Engine have been ongoing for years. In May, Intel patched a critical vulnerability that dated back nine years in the company’s Active Management Technology, which is based on Intel ME. That vulnerability could allow an attacker to gain remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN, and BIOS setup and editing.

In November, Intel released patches to protect millions of PCs and servers from vulnerabilities found in its Management Engine that could allow local attackers elevate privileges, run arbitrary code, crash systems and eavesdrop on communications. In August, Positive Technologies published a report on how the US government can disable ME and the public can’t.

Suspicions date back to 2012 over Intel’s implementation of AMT with some labeling it a “backdoor enabled by default.” A reported flaw identified in June 2016 by researcher Damien Zammit claimed that there was a remotely exploitable security hole in the Intel Management Engine that created a secret backdoor allowing a third party to use undetectable rootkits against Intel PCs. Intel denied such claims.

Suggested articles