AMT is Intel’s technology for allowing IT departments to remotely monitor access and perform maintenance on corporate computers. It allows a system administrator full control of the system, intended for performing IT-related tasks. The system doesn’t even need to be on as long as it is connected to a network and a power source. Systems with Intel vPro-enabled processors, as well as many with Xeon processors, have AMT included.
Wireless access can also be configured at this point by browsing to http://TARGETIP:16992/wlan.htm” and logging in as “admin” with the new password. Changing the “Wireless Management” option to “Enabled in S0, Sx/AC” will allow remote access over a Wi-Fi network, once again provided the attacker is on the same network. AMT can also be configured to allow remote access from anywhere as long as the system is connected to the internet. Intel’s Client Initiated Remote Access (CIRA) enables systems to connect back to IT management rather than the other way around and can be configured to point to a server controlled by the attacker instead.
The severity of this flaw is that AMT can be accessed even with a BIOS password enabled, local firewalls, Bitlocker encryption, and strong password policies. While the physical access needed to initiate the attack is a limiting factor, some clever social engineering or the possibility of an insider threat can still lead to compromise. Basic IT security practices, such as never leaving systems unattended in unsecure locations can help mitigate this attack. Also, it is recommended to disable or set a strong password for AMT on all systems during the provisioning process.
Sources:
·
https://threatpost.com/intel-amt- loophole-allows-hackers-to-gain-
control-of-some-pcs-in-under-a- minute/129408/
Article was originally posted on CIP report produced by PERATON