The Finland-based cybersecurity firm, F-Secure has discovered a security flaw in Intel’s Active Management Technology (AMT) which can allow a hacker to compromise a work laptop within seconds.
AMT is basically Intel’s proprietary solution for remote access monitoring and maintenance of corporate-grade personal computers, developed to allow IT departments or managed service providers to better control their device fleets.
According to the company, in July 2017, Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered malicious and misleading default behavior within Intel’s AMT.
“AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen’s discovery surprised even him,” the company said in a blog post.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen said.
The flaw essentially enables a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, BitLocker and login credentials are in place.
An attacker can reboot the target’s machine and enter the boot menu. In a normal situation, an intruder would be stopped here — as they won’t know the BIOS password, they can’t really do anything harmful to the computer, as per reported by IANS.
“In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password ‘admin’, as this hasn’t most likely been changed by the user,” the company said.
By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cybercriminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they are able to insert themselves into the same network segment with the victim, the report added.