Windows 10 News and info | Forum
October 23, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or Forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: A Security Issue in Intelís Active Management Technology (AMT)  (Read 88 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 29076

I Do Windows

WWW Email
« on: January 13, 2018, 10:55:36 PM »

Misleading behavior within Intel's technology allows a local attacker to compromise and take control of work laptops.

Imagine someone having the capability to remotely access and operate your laptop at their whim, without you being able to do anything about it. Pretty scary thought, right? Luckily this couldnít really happen Ė magic hacker tricks capable of bypassing strong passwords, firewalls and anti-malware software only exist in the movies.

Itís just that sometimes reality kicks fiction right in the teeth. In July 2017 Harry Sintonen, one of F-Secureís Senior Security Consultants, discovered unsafe and misleading default behavior within Intelís Active Management Technology (AMT). AMT is Intelís proprietary solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets.

AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonenís discovery surprised even him. The security issue seems like something lifted straight from IT security officersí worst nightmares.

ďThe attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individualís work laptop, despite even the most extensive security measures,Ē Sintonen says.

So how can this be exploited in practice?

The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, BitLocker and login credentials are in place. No, weíre not making this stuff up.

The setup is simple: an attacker starts by rebooting the targetís machine, after which they enter the boot menu. In a normal situation, an intruder would be stopped here; as they wonít know the BIOS password, they canít really do anything harmful to the computer.

In this case, however, the attacker has a workaround: AMT. By selecting Intelís Management Engine BIOS Extension (MEBx), they can log in using the default password ďadmin,Ē as this hasnít most likely been changed by the user. By changing the default password, enabling remote access and setting AMTís user opt-in to ďNoneĒ, a quick-fingered cybercriminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as theyíre able to insert themselves into the same network segment with the victim (enabling wireless access requires a few extra steps).

Although the successful exploitation of the security issue requires physical proximity, this might not be as difficult for skilled attackers to organize as you might think. Sintonen lays out one probable scenario, using techniques common to cyber criminals and red teamers alike.

ďAttackers have identified and located a target they wish to exploit. They approach the target in a public place Ė an airport, a cafť or a hotel lobby Ė and engage in an Ďevil maidí scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesnít require a lot of time Ė the whole operation can take well under a minute to complete,Ē Sintonen says.

Combating the issue

Although solid operations security is the first step (donít ever leave your laptop unwatched in an insecure location!), there are some basic safeguards all IT departments should implement.

The system provisioning process needs to be updated to include setting a strong password for AMT or disabling it completely if possible. IT should also go through all currently deployed machines, and organize the same procedure for them. Intelís own recommendations for using AMT in a secure manner follow similar logic.

Now, this might be more difficult than it sounds. IT departments might find it increasingly tricky to remediate the issue on a large scale, as the required changes may be difficult to effect remotely (ironically enough). In most cases, a mass reconfiguration effort of affected devices is the only way to deal with AMT issues Ė not fun for a large, global organization. Our recommendation is to query the number of affected assets remotely and try to narrow the list down to a more manageable number. Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT.

Most importantly: if the AMT password has been set to an unknown value on a userís laptop, consider the device suspect and initiate an incident response. The first rule of cybersecurity? Never take unnecessary risks.

For more information on the issue, download our FAQ here!

View full advisory

« Last Edit: January 14, 2018, 01:24:36 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 07, 2018, 02:13:23 AM