Intel AMT security loophole could allow hackers to seize control of laptops

Sheri Evans
January 13, 2018

Finnish cybersecurity specialist F-Secure has reported another serious flaw in Intel hardware.

Although AMT vulnerabilities are not new, the researchers say this issue is particularly severe because it affects most Intel laptops, could enable an attacker to gain remote access for later exploitation, and is particularly easy to exploit. Optionally, unlike the Intel Management Engine (ME), AMT can be disabled, an option that Sintonen also recommends in situations where AMT use is not a corporate policy.

Harry Sintonen, the F-Secure security consultant who investigated the issue, said that the security gap was "almost deceptively simple to exploit" and noted that it could have "incredible destructive potential". "In practice, it can give a local attacker complete control over an individual's work laptop, despite even the most extensive security measures".

Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets.

Normally, laptop users set-up BIOS passwords to prevent unauthorised users from booting up devices or making changes to the boot-up process. What he has essentially done here is set up the machine to allow remote access without the user's knowledge that the computer is being exploited. And once inside AMT (reached by hitting Ctrl-P during boot), the attacker can log in using "admin", input a new remote password, configure AMT to suppress notifications that the laptop has been connected to remotely (thereby preventing users from knowing what's happened), and also configure it to allow wireless remote management in addition to wired management. "This allows an attacker access to configure AMT and make remote exploitation possible", F-Secure said.

The issue permits an attacker with physical access to a laptop to bypass having to enter passwords and to access and remotely exploit the laptop later, the company said.

Cypress Semiconductor Corporation (CY) Scheduled to Post Earnings on Thursday
The semiconductor company reported $0.27 EPS for the quarter, topping the Thomson Reuters' consensus estimate of $0.23 by $0.04. Alliancebernstein Limited Partnership holds 0.07% in Cypress Semiconductor Corporation (NASDAQ:CY) or 6.10 million shares.

Exemption granted for girl, 11, to use medical marijuana at Schaumburg school
School nurses feared they'd lose their licenses or even be arrested helping Ashley with the technically illicit drug. This is belived to be the first case of its kind and could set a precedent for schools across the nation.

Twenty-First Century Fox (NASDAQ:FOX) Stock Rating Upgraded by BidaskClub
Boston Family Office Llc decreased Gilead Sciences Inc (NASDAQ:GILD) stake by 3,870 shares to 114,589 valued at $9.28M in 2017Q3. This simple numeric scale reads 1 to 5, and it changes brokerage firm Hold recommendations into an average broker rating.

"If you leave your laptop in your hotel room while you go out for a drink, an attacker can break into your room and configure your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel", he said.

F-Secure's Sintonen, however, wasn't the only security researcher to unearth the problem.

"Now the attacker can gain access to the system remotely", F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)". For this reason, it's especially important that organizations know about the unsafe default so they can fix it before it begins to be exploited.

F-Secure said in a statement that the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in nearly all computers, tablets and smartphones today.

Sintonen recommends that companies configure an AMT password so attackers wouldn't be able to boot via MEBx and compromise the system.

Intel AMT is commonly found on computers using Intel vPro-enabled processors as well as platforms based on some Intel Xeon processors. However, many device manufacturers do not follow this advice. "If the password is already set to an unknown value consider the device suspect and initiate incident response procedure", it says.

Other reports by

Discuss This Article