Saturday, January 20, 2018

Intel AMT Provides Backdoor

    Intel has been taking a beating lately for the Meltdown and Spectre vulnerabilities discovered in its processor chips. As if that wasn’t enough, a new security flaw was recently discovered in Intel’s Active Management Technology (AMT) that can cause a full system compromise. Even worse, it can bypass many strong security measures.

   AMT is Intel’s technology for allowing IT departments to remotely monitor access and perform maintenance on corporate computers. It allows a system administrator full control of the system, intended for performing IT-related tasks. The system doesn’t even need to be on as long as it is connected to a network and a power source. Systems with Intel vPro-enabled processors, as well as many with Xeon processors, have AMT included.
    The flaw in AMT, discovered by researchers at Finnish cyber security company F-Secure, can be exploited with under a minute of physical access to the machine. A reboot is required and then the Intel Management Engine Bios Extension (MEBx), which handles manual AMT configuration, is entered by pressing CTRL-P. Most AMT instances are not provisioned by IT departments and the default password of “admin” will allow access to change the password and disable user notification for remote access. After this is complete, the system can be accessed remotely as long as the attacker is on the same network as the target and provides full control.
    Wireless access can also be configured at this point by browsing to http://TARGETIP:16992/wlan.htm” and logging in as “admin” with the new password. Changing the “Wireless Management” option to “Enabled in S0, Sx/AC” will allow remote access over a Wi-Fi network, once again provided the attacker is on the same network. AMT can also be configured to allow remote access from anywhere as long as the system is connected to the internet. Intel’s Client Initiated Remote Access (CIRA) enables systems to connect back to IT management rather than the other way around and can be configured to point to a server controlled by the attacker instead.  
   The severity of this flaw is that AMT can be accessed even with a BIOS password enabled, local firewalls, Bitlocker encryption, and strong password policies. While the physical access needed to initiate the attack is a limiting factor, some clever social engineering or the possibility of an insider threat can still lead to compromise. Basic IT security practices, such as never leaving systems unattended in unsecure locations can help mitigate this attack. Also, it is recommended to disable or set a strong password for AMT on all systems during the provisioning process.


 Article was originally posted on CIP report produced by PERATON