Security researchers have pinpointed another major security hole in Intel processors, in addition to the security holes in the Intel Management Engine and the Meltdown flaw that hits Intel CPUs uniquely hard. This time, it’s an issue with Intel’s Active Management Technology (AMT), a feature typically reserved for systems that support Intel vPro or workstation platforms with certain Xeon CPUs.
The Intel AMT is designed to allow administrators to access and update PCs, even if those PCs are turned off. All they need is an internet connection and a wall socket and they can be updated. That’s a useful tool for large multinational firms with far-flung employees, but it’s also a potential security risk. F-Secure has published information highlighting how easily an attacker with even brief local access can gain full access to an entire machine. Here’s how they describe the problem:
A BIOS password normally prevents an unauthorized user from making low-level changes to a device. However, the essence of this issue is that even when a BIOS password has been set, an attacker does not need it to configure AMT. Not only that, due to insecure defaults in the BIOS and AMT’s BIOS extension (MEBx) configuration, an attacker with physical access can efectively backdoor a machine by provisioning AMT using the default password. The attacker can then access the device remotely, by connecting to the same wireless or wired network as the user. In certain cases, the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim.
In short, setting a BIOS password won’t help and once someone has access, you can’t kick them out. The researchers note that no other security measures, including local firewalls, BIOS passwords, anti-malware software, or use of a VPN can prevent a compromised system from leaking data, because it’s been compromised outside of the Windows environment, in a separate OS that’s completely shielded from any attempt to inspect or control the data flowing out of or into it.
From here, the possibilities are endless. Even firmware-based malware can be easily uploaded to the system with no chance of detection. And while local access might seem a tough barrier to crack, it’s not as hard as it seems. The changes can be made in under a minute, according to F-Secure. It may not be the kind of attack that gets deployed across thousands of systems on a corporate local network — at least not without additional steps — but it’s exactly the kind of targeted attack a government agency might use. And more to the point, it illustrates that Intel CPUs are once again vulnerable to set of management capabilities that Intel decided to sandbox entirely from the primary operating system.
And more to the point, this is an easily resolved flaw. Even if you think the chance of system penetration via inappropriate local access is minimal, the solution to this problem is to not allow access to the AMT until the proper BIOS password is entered. If a user can’t unlock the BIOS, they shouldn’t be allowed to enter a password for AMT configuration (the default password is, of course, “admin”). Most AMT-capable devices, F-Secure notes, don’t use the feature in the first place. They’re still at risk of local attack, because this attack works against AMT-enabled devices with default passwords. And once inside AMT (reached by hitting Ctrl-P during boot), the attacker can log in using “admin,” input a new remote password, configure AMT to suppress notifications that the laptop has been connected to remotely (thereby preventing users from knowing what’s happened), and also configure it to allow wireless remote management in addition to wired management.
Once this is done, the attacker can connect to the system if he’s on the same local area network or program AMT to enable Client Initiated Remote Access (CIRA), which will connect to the attackers’ servers and avoid any need for local access at all.
Not a great look on a company that’s already being hammered by other security flaws. Intel’s entire rationale for keeping so much of its security infrastructure locked away looks less and less like the principled decision of a company keeping us safe and more like a desperate attempt to cover just how badly it treats security. Because folks, look, this is not a sophisticated attack. This is not some crazy idea. In fact, it’s one of the first things I would expect an attacker to try, if said person had even a basic concept of what functions like AMT and the Intel Management Engine can be configured to do.