Security researchers have identified another important security hole in Intel processors, in addition to security vulnerabilities in the Intel Management Engine and the Meltdown vulnerability that is hitting Intel processors hard. This time, it is a problem with Intel’s Active Management Technology (AMT), a feature typically reserved for systems that support Intel vPro or work platforms with certain Xeon processors.
Intel AMT is designed to allow administrators to update PCs even if these PCs are disabled. All they need is an internet connection and a wall outlet and they can be updated. This is a useful tool for large multinational companies with remote employees, but it is also a potential security risk. F-Secure published information highlighting how an attacker with even a short local access can easily access an entire machine. Here’s how they describe the problem:
A BIOS password normally prevents an unauthorized user from making low-level changes to a device. However, the bottom line of this problem is that even when a BIOS password has been set, an attacker does not need it to configure AMT. Additionally, due to the unsecured BIOS setup and the AMT BIOS (MEBx) extension configuration, an attacker with physical access can effectively backfeed a machine. supplying AMT using the default password. The attacker can then access the device remotely, by connecting to the same wireless or wired network as the user. In some cases, the attacker can also program AMT to connect to his own server, which cancels the need to be in the same network segment as the victim.
In summary, setting a BIOS password will not help. Once someone has access, you can not evict them. The researchers note that “no other security measure, including local firewalls, BIOS passwords, anti-malware software or the use of.” a VPN may prevent a compromised data leak system, as it has been compromised outside of the Windows environment, in a separate operating system completely protected from any attempt at inspection or control of the data circulating there.
From there, the possibilities are endless. Even malware based on the firmware can be easily downloaded to the system without any chance of detection. And even though local access may seem like a difficult hurdle to go through, it’s not as difficult as it appears. Changes can be made in less than a minute, according to F-Secure. This may not be the kind of attack that is deployed on thousands of systems on a local business network – at least not without additional steps – but it is exactly the same. kind of targeted attack that a government agency could use. And more specifically, it shows that Intel processors are once again vulnerable to a set of management capabilities that Intel has decided to put into sandbox entirely from the main operating system.
And more specifically, it is a fault easily solved. Even if you think that the probability of system penetration through inappropriate local access is minimal, the solution to this problem is to not allow access to the AMT until the BIOS password is n & # 39; 39 is not entered. If a user can not unlock the BIOS, he / she should not be allowed to enter a password for the AMT configuration (the default password is, of course, “admin”). Most AMT-compatible devices, F-Secure Notes, do not use the feature in the first place. They are still at risk of local attack because this attack works against AMT compatible devices with default passwords. And once in AMT (reached by pressing Ctrl-P during boot), the attacker can login using “admin”, enter a new password, configure AMT to delete the notifications that the laptop has been connected remotely. this has happened), and also configure it to allow wireless remote management in addition to wired management.
Once done, the attacker can connect to the system if he is on the same local network or AMT program. Customer Initiated Remote Access (CIRA), which connects to the servers of the attackers and avoids any need for local access.
Not a great look on a company that is already experiencing other security flaws. All of Intel’s logic for keeping much of its security infrastructure locked up looks less and less like the principled decision of a company that keeps us safe and more like a desperate attempt to cover up. how much it deals with security. Because people, look, this is not a sophisticated attack. This is not a crazy idea. In fact, it’s one of the first things I would expect from an attacker, if that person even had a basic concept of what features like AMT and Intel Management Engine can be configured to do.