F-Secure, a cybersecurity research firm, has found a vulnerability in Intel’s Active Management Technology (AMT). The company describes the flaw as “misleading” and allows local attackers to potentially control laptops. AMT is a solution owned by Intel that allows remote access for monitoring and maintenance of enterprise-level laptops. It gives businesses the ability to arm their IT admins to manage service providers and manage networked devices. Harry Sintonen, a Senior Security Consultant at F-Secure discovered the vulnerability in AMT last July. He says flaws in AMT are not uncommon, but this particular gap in security is a worst nightmare for IT departments. “The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen says.
How simple? Well, an attack would be able to enter a corporate laptop through a back door. It would not matter if the machine had protection or login credentials, hackers could access in seconds. This would be achieved by rebooting the target laptop and entering the boot menu. This would normally lead to the BIOS password and a wall difficult to pass for the attacker. However, thanks to the AMT flaw, the attacker could select the AMT Extension and login as a default “admin” password. After this, the hacker can change AMT users input to none and enable remote access on the machine. This would now provide complete access from a remote location, as long as it is on the same network. “Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen says.
Preventing an Attack
It is worth noting Intel has not patched this issue, so it is an active flaw. However, IT departments can take some simple steps to avoid being compromised. “The system provisioning process needs to be updated to include setting a strong password for AMT, or disabling it completely if possible… In most cases, a mass reconfiguration effort of affected devices is the only way to deal with AMT issues – not fun for a large, global organization. Our recommendation is to query the amount of affected assets remotely, and try to narrow the list down to a more manageable number. Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT.”