CyberWisdom Safe Harbor Commentary:
The following four curated articles reported researchers found a flaw in Intel processors that allowed attackers to bypass logins and place backdoors on laptops to allow attackers to remotely access the laptops. F-Secure researchers first identified the attack strategy and said the vulnerability could be exploited in less than a minute.
The technology requires an attacker to have physical access to the computer and assumes that the target is not configured to protect the Intel Management Engine BIOS Extension (MEBx) account on a PC that supports Intel Active Management Technology (AMT).
The given name is evil maid attack which will eventually give the adversary full remote access to the corporate network without writing a single line of code.
This loophole was discovered today by Harry Sintonen, a senior security consultant at F-Secure. This is not related to the May 2017 Apocalypse AMT Firmware Vulnerabilities disclosure, or the current crash and specter issues.
“The new flaw is simple and surprising.” It almost looks simple, but with incredible potential for damage, “explains Sintonen. In fact, even the widest range of security measures can give attackers full control Personal work laptop. ”
The problem is that setting the BIOS password (standard program) usually does not prevent access to AMT BIOS extensions – Intel Management Engine BIOS Extensions (MEBx). Unless this individual password is changed, the default “admin” password will usually give attackers access to the AMT.
AM is a hardware-based out-of-band remote management tool. It is chip-level and does not depend on software or operating system. It only needs power and connection. The goal is to give IT staff remote access to and control of enterprise equipment; especially useful for laptops that are far from the office. It is found on computers equipped with an Intel vPro processor and on a platform based on a specific Intel Xeon processor-based workstation (in short, the vast majority of corporate endpoints).
If an attacker had physical access to this device, simply press CTRL-P during startup to start the device and then log in to MEBx using “admin”. F-Secure wrote: “By setting a default password, enabling remote access, and setting the AMT user to” None, “a fast finger network programming has effectively ruined the machine.
The device itself may be considered safe, with strong BIOS passwords, TPM Pin, BitLocker, and login credentials – but if an attacker can insert himself into the same network segment as the victim, all of these devices can be bypassed remotely. “In some cases,” F-Secure warns, “Attackers can also program AMTs to connect to their own servers, disregarding the need to be on the same network as the victim.
Once such an attack is successful, the target device is fully compromised and an attacker can remotely read and modify all the data and applications available to authorized users.
Although the attack requires physical access, the speed of the attack threatens the viable malaria attack (so-called, because such an attack can be exploited in a hotel room if one device is left unattended for a short period of time).
Since last summer, colleagues at Sintonen and F-Secure repeatedly mentioned the issue repeatedly. CERT-Bund previously found a USB supply-like vulnerability. The issues highlighted by F-Secure are quite different from other recent issues that arise from the unsecured configuration and deployment of Intel AMT.
F-Secure said that a large part of the problem is that companies are not following Intel’s guidance in practice, adding that this is for the purpose of getting people’s attention.
F-Secure said: “We discovered this issue this summer and since we discovered this issue, we’ve uncovered this issue on thousands of laptops.” Although manufacturers can get information on how to prevent this, Manufacturers are still not following best practices, leaving a large number of vulnerable laptops left there, not wanting to do so by organizations and users themselves, but most people are not aware of this at all, raising public awareness It is very important. ”
Research from F-Secure shows that some system manufacturers do not need BIOS passwords to access MEBx. As a result, there is no limit to the physical access rights for unauthorized MEBx-accessible computers, and AMTs are factory-defaulted and may change their AMT settings.
El Reg learned that Intel started telling system builders to provide a system BIOS option to disable USB provisioning and set this value to default to be disabled in 2015. The guide (PDF) was updated and reiterated last November.
F-Secure reports that, despite these guidelines, the unsafe Intel AMT architecture remains widespread:
Although Intel has written extensive guidelines for AMT, it does not have the expected impact on the real-world security of enterprise laptops.
This issue affects most, if not all, of the notebooks that support Intel Management Engine / Intel AMT. Chipzilla recommends that manufacturers require the BIOS password when they launch AMT. However, many device manufacturers do not follow this advice.
Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute
Researchers say an unprotected Management Engine BIOS Extension can allow an attacker the ability to configure Intel’s AMT feature for remote access by a hacker…. Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute
F-Secure advises organizations to adjust the system configuration process to include setting a strong AMT password, or disable AMT if this option is available. The following is a video found by F-Secure on the first article title: Weak Intel AMT security lets hackers hijack corporate comps – research
Weak Intel AMT security lets hackers hijack corporate comps – research
Easy as A, B, CTRL+P Security shortcomings in Intel’s Active Management Technology (AMT) create a means for miscreants to bypass login credentials on corporate laptops.…… Weak Intel AMT security lets hackers hijack corporate comps – research
The second article is similar to, but easier to read than the first; Weak Intel AMT security lets hackers hijack corporate comps – research
Intel AMT security flaw lets attackers easily bypass laptop passwords
Intel is having a rough start to the year. Following the Meltdown and Spectre fiasco that is ongoing, F-Secure is piling on more bad news, saying Intel’s Active Management Technology (AMT) gives attackers an easily exploitable backdoor into potentially millions of laptops. AMT is Intel’s proprietary solution to allow IT admins remote access monitoring and maintenance of corporate-grade systems. It is commonly found on business laptops, particularly those with Intel vPro processors. AMT has had its share of security issues in the past, but this new one is arguably the most concerning issue yet. “The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, senior security consultant at F-Secure. It doesn’t take long to exploit the vulnerability, which is part of what makes this especially concerning. In a matter of seconds, an attacker can gain access to an Intel AMT-enabled laptop, even if there’s a BIOS password in place. Bitlocker passwords, TPM Pins, and login credentials are no help, either. An attacker starts by rebooting a target’s machine, and then entering… Intel AMT security flaw lets attackers easily bypass laptop passwords
Simple Attack Allows Full Remote Access to Most Corporate Laptops
Attack is Simple to Exploit, Has Incredible Destructive Potential read more… Simple Attack Allows Full Remote Access to Most Corporate Laptops
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »