In a video posted by a Finnish researcher at F-Secure, Harry Sintonen has revealed shocking details about a new Intel loophole that he discovered in Intel’s new Active Management Technology (AMT). The new loophole gives colors to an IT security officer’s worst nightmares. It allows a hacker to gain access to the computer remotely.
AMT provides IT departments and managed service providers with the ability to better control their device fleets and maintain corporate-grade PCs by giving them a solution for remote access monitoring. This same AMT can be exploited by hackers in the new loophole found by Sintonen.
Outlining the process by which this can be achieved, Sintonen has said that a local intruder can start rebooting the targeted device, followed by entering the boot menu. While ideally, an attacker would be stopped here since he wouldn’t know the BIOS password, in this situation, he can use Intel’s Management Engine BIOS Extension and log in with the default password, “admin”, which, in most cases, remains unchanged by the user. This would allow the hacker to enable remote access and set AMT’s user opt-in to “None”, thus compromising the machine. The only other thing that would be left for the hacker to do would be to use the same network segment as the victim.
The successful exploitation of the Intel loophole can be completed by physically stealing the machine. And this is usually a cakewalk for a trained cyber-criminal. To quote Harry Sintonen, this can be done in the following way: “Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete.”
To combat the Intel loophole, the system provisioning process should be updated to make way for a strong password to be set for the AMT or to have it dissolved altogether. IT should also ensure that the procedure has been followed in all machines that are in use. Apart from this, the device user should ensure that the device is left unguarded at no point in time; and if the user notices that the AMT password has been changed and set to an unknown value, he should consider the device as a suspect and initiate incident response. Although no statement has been issued by Intel so far, users are advised to exercise caution when using their Intel-powered devices.
