Intel has been taking a beating lately for the Meltdown and Spectre vulnerabilities discovered in its processor chips. As if that wasn’t enough, a new
security flaw was recently discovered in Intel’s Active
Management Technology (AMT) that can cause a full system compromise. Even
worse, it can bypass many strong security measures.
AMT is Intel’s technology for allowing IT
departments to remotely monitor access and perform maintenance on corporate
computers. It allows a system administrator full control of the system,
intended for performing IT-related tasks. The system doesn’t even need to be on
as long as it is connected to a network and a power source. Systems with Intel
vPro-enabled processors, as well as many with Xeon processors, have AMT
The flaw in AMT, discovered by researchers at
Finnish cyber security company F-Secure, can be exploited with under a minute
of physical access to the machine. A reboot is required and then the Intel
Management Engine Bios Extension (MEBx), which handles manual AMT
configuration, is entered by pressing CTRL-P. Most AMT instances are not
provisioned by IT departments and the default password of “admin” will allow
access to change the password and disable user notification for remote access.
After this is complete, the system can be accessed remotely as long as the
attacker is on the same network as the target and provides full control.
Wireless access can also be configured at this point
by browsing to http://TARGETIP:16992/wlan.htm” and logging in as
“admin” with the new password. Changing the “Wireless Management” option to “Enabled in S0, Sx/AC” will
allow remote access over a Wi-Fi network, once again provided the attacker is
on the same network. AMT can also be configured to allow remote access from
anywhere as long as the system is connected to the internet. Intel’s Client Initiated Remote Access (CIRA)
enables systems to connect back to IT management rather than the other way
around and can be configured to point to a server controlled by the attacker
The severity of this flaw is that AMT can be
accessed even with a BIOS password enabled, local firewalls, Bitlocker encryption, and strong
password policies. While the physical access needed to initiate the attack is a
limiting factor, some clever social engineering or the possibility of an insider
threat can still lead to compromise. Basic IT security practices, such as never
leaving systems unattended in unsecure locations can help mitigate this attack.
Also, it is recommended to disable or set a
strong password for AMT on all systems
during the provisioning process.
Article was originally posted on CIP report produced by PERATON