Following the discovery of Spectre and Meltdown earlier this month, Intel is now facing another security flaw in its firmware.
Researchers from the Finnish cybersecurity firm F-Secure pinpointed another major security flaw in Intel processors that could potentially enable any hacker to gain remote access to any PC just by having ‘brief’ physical contact with it.
The newly found issue involves Intel’s Active Management Technology (AMT) firmware, a remote device management technology installed in approximately 100 million systems over the last decade.
Intel’s AMT is a feature usually found in systems that support Intel vPro or workstation platforms with Xeon CPUs. It is designed to let administrators access and update computers, even if the devices are turned off.
So, while Spectre and Meltdown are found in microchips used in almost all computers, smartphones, and tablets today, the AMT vulnerability dramatically affects millions of corporate laptops and computers.@FSecure discovered another security flaw in @intel firmware #securityClick To Tweet
However, Intel defended itself and said that computer manufacturers are primarily at fault for failing to safeguard the AMT configuration in the BIOS setup menus.
The Intel AMT Security Flaw
In an article released by Business Security Insider over the weekend, they explained how the vulnerability was found. Apparently, the new Intel security flaw was discovered by Harry Sintonen, a senior security consultant in F-Secure, in July 2017. That time, Sintonen allegedly observed some misleading default behavior in Intel’s AMT.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen was quoted as saying.
According to the researchers, attackers can gain access to any corporate laptop in a matter of seconds by exploiting AMT’s vulnerability. What’s worst is that it is possible even if the BIOS password, TPM Pin, BitLocker, and login credentials aren’t all in one place.
All the attacker has to do is reboot the target machine and enter the boot menu. Usually, a hacker would not be able to push through from here since the BIOS password is required to perform any further actions. This is where AMT comes in handy.
The intruder will then turn to AMT by selecting the Management Engine BIOS Extension (MEBx). If the login password for MEBx has not been changed by the user or the IT administrator, the attacker would be able to access it using the default Intel password “admin.”
— F-Secure (@FSecure) January 15, 2018
“By changing the default password, enabling remote access and setting AMT’s user opt-in to “None,” a quick-fingered cybercriminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they’re able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps),” the researchers explained.
While the exploit still requires physical contact with the laptop or workstation, the security specialists pointed out that executing the job is relatively easy for skilled attackers to organize.
As a countermeasure to prevent hackers from potentially taking advantage of AMT’s security flaw, people are advised to avoid leaving their laptops in public unsecured areas. Aside from that, the security researchers said that updates to system provisions must also include setting a strong password for AMT, or if possible, just disable it.