Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.
F-Secure has reported a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue means that the attacker bypasses the need to enter login credentials and gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.
The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as senior security consultant at F-Secure. “In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures.”
Intel AMT, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue makes it different from any other exploitation. The weaknesses in this particular issue can be exploited in mere seconds without a single line of code.
Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.
Tim Helming, director of product management at DomainTools commented: “While in general attacks requiring physical access are of lower concern than remote privilege escalation or code execution attacks, the Intel AMT problem is a bit different because it is fast and simple to execute; an attacker could do lasting damage with very brief access to the device. Moreover, with the lines blurred on what constitutes a work versus a personal device, and the prevalence of working in non-office environments, it is very plausible that a work laptop could end up in the wrong hands for long enough to execute this attack. This underscores how important physical access safeguards are, and it goes beyond simply locking the keyboard when away from the device. Hopefully at this stage, enterprises will be looking at investing extra layers of security and training to help fight these vulnerabilities - if not, they should start to consider it now."
Tony Bettini, Senior Director of Engineering at Tenable gave a comment on the issue to SC Media UK: "The latest Intel AMT flaw is noteworthy for two reasons. One, it can be exploited in a matter of seconds. And two, it impacts almost all laptops that support Intel AMT. This means that an attacker needs only a few moments alone with a victim's laptop in order to configure it for remote access — giving him free reign over your device and personal data. It should go without saying, do not leave your laptops unattended. Unfortunately, this latest vulnerability might be just the first of many we see discovered in Intel products as more researchers, and cyber criminals, examine software to hardware interfaces for vulnerabilities."