Yet another Intel problem... this time in AMT

[porina]

Quote

Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware—remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel.

https://arstechnica.com/information-technology/2018/01/researcher-finds-another-security-flaw-in-intel-management-firmware/

 

Makes a change from yet another Meltdown/Spectre post I suppose. This is yet another way to take over a system, using features built into Intel systems without adequate security. This isn't quite as bad as Meltdown/Spectre. An attacker would need physical access to an unprotected system in the first place to set it up. It can be mitigated by setting a password to the feature. This in some ways echo early WiFi usage before security awareness was increased. I don't feel home users are significantly vulnerable to this, but if you oversee systems anyone can use, best make sure to configure them yourself before an attacker does.

[ItsMitch]

Quote

"But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx)."

I take it AMD isn't affected by this?

[Guest]

9 minutes ago, SC2Mitch said:

I take it AMD isn't affected by this?

Nope, its just that Intel's AMT uses a default password.

Edit: Also this could have been avoided if OEMs had configured it differently:

Quote

If the system’s manufacturer has followed Intel’s recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated.

Edited January 12, 2018 by Guest
Shortened quote

[NumLock21]

Intel AMT is only on those business chipsets. I think it's also has something to with vPro. Some cpus supports vPro, but the board's chipset needs to support it too.

[Levent]

2 minutes ago, NumLock21 said:

Intel AMT is only on those business chipsets. I think it's also has something to with vPro. Some cpus supports vPro, but the board's chipset needs to support it too.

I believe so, vPro is supported on the cpu side and AMT requires a dedicated hardware located on the board.

[ItsMitch]

Quote

"We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx)," an Intel spokesperson told ZDNet.

Intel just brushing it and blaming other people, gee wonder where we've seen this before. 

[Ginger_]

This isn't  huge though. Any half smart company that uses the affected chips should already have their server rooms locked 

[NumLock21]

Just now, Levent said:

I believe so, vPro is supported on the cpu side and AMT requires a dedicated hardware located on the board.

Yes, in device manger it shows the hardware, and will require drivers for it to work. But it does not say Intel AMT, it says PCI simple communications controller and pci serial port. When the driver is installed it reads it as Intel AMT LMS_SOL (Com3), Intel  AMT 3.0 or any along those lines.

[Eduard the weeb]

at this point I feel like intel may bankrupt it self from the sheer amount of security flaws atm lol

 

also I know this is nearly impossible to happen right now after the strangle hold they have had on the PC market for ever now

[DanielMDA]

4 minutes ago, Eduard the weeb said:

at this point I feel like intel may bankrupt it self from the sheer amount of security flaws atm lol

 

also I know this is nearly impossible to happen right now after the strangle hold they have had on the PC market for ever now

So EPYC will do epyclly? I mean first Meltdown/Spectre affecting Intel the most, and slowing down Datacenters, and now this? My school was already considering a Threadripper 1950X or an Epyc for their new server because of this disaster.

[vorticalbox]

1 hour ago, SC2Mitch said:

Intel just brushing it and blaming other people, gee wonder where we've seen this before. 

So it's Intel's fault people didn't change the default passwords? 

[captain_to_fire]

Sources: F-Secure (Primary Source) via ZDNet (Secondary Source)

 

Intel wishes it can catch a break from all the vulnerabilities in their chips and the controversies but here's a new one and can be a way to bypass any kind of additional authentication.

Quote

A security vulnerability in Intel's Active Management Technology (AMT) remote access monitoring and maintenance platform could allow attackers to bypass logins and place a backdoor on a laptop, enabling remote access and operation of the machine.

 

Intel AMT is commonly found on computers with Intel vPro-enabled processors as well as systems based on some Intel Xeon processors.

So desktop processors are pretty much safe from this but not laptop processors. How serious the vulnerability is you might ask how about bypass full disk encryption like Bitlocker. This is not a weakness in Bitlocker's part but a hardware vulnerability as the Finnish cybersecurity company F-Secure states.

Quote

So how can this be exploited in practice?

 

The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place. No, we’re not making this stuff up.

 

The setup is simple: an attacker starts by rebooting the target’s machine, after which they enter the boot menu. In a normal situation, an intruder would be stopped here; as they won’t know the BIOS password, they can’t really do anything harmful to the computer. In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password “admin,” as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine. Now the attacker can gain access to the system remotely, as long as they’re able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps).

 

Although the successful exploitation of the security issue requires physical proximity, this might not be as difficult for skilled attackers to organize as you might think. Sintonen lays out one probable scenario, using techniques common to cyber criminals and red teamers alike.“Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen says.

Here's a YouTube video from F-Secure's channel explaining the gist of the vulnerability.

Here's something in more detail from F-Secure's Q&A:http://images.news.f-secure.com/Web/FSecure/{b7f942eb-8ab9-41bb-afa0-792ed76306b7}_F-Secure_Intel-AMT_FAQ.pdf?_ga=2.181747875.548637975.1515800458-1068562749.1515800458

Quote

How can this be exploited?

 

Intel Active Management Technology comes initially protected with the default password “admin.” If AMT is not configured (as is the case with the vast majority of corporate devices), the default password will allow an attacker with physical access to the system to enable and configure AMT.

Although the attack cannot be enacted remotely, the process is very simple and quick to complete. A simple distraction, giving an attacker a few seconds of access to the target’s laptop, is enough to successfully complete the hack. The assailant can also provision the attack using a programmed USB stick, unless USB provisioning has been disabled by the user.

 

The attack process is explained step-by-step below:

 

1. The attack starts by the assailant rebooting the target’s system and hitting CTRL-P during the boot-up process. This brings the attacker to AMT’s Management Engine BIOS extension.
2. Once they’re inside AMT, the attacker can log in with the default password “admin.” AMT will then request the assailant to input a new password, which they can later use to gain access to the system remotely.
3. After inputting the new password, the attacker configures AMT to allow remote network access. On default settings, user consent is required to establish the remote connection – the assailant can, however, completely disable this option from the “User Consent” configuration menu.
4. Usually access to AMT is restricted to wired (ethernet) connections, but the attacker can also enable wireless access by connecting to the wired network and logging into the web console. From there the assailant can switch on wireless management.  
5. The attacker can now connect to the system remotely, as long as he is in the same network with the hacked device. The actual connection can be performed with the Intel Manageability Developer Tool Kit’s Manageability Commander Tool, by using the username admin and the previously set password. In certain cases, the assailant can also program AMT to connect to their own server by using Client Initiated Remote Access (CIRA), which negates the necessity of being in the same network segment with the victim.
6. Once logged in, the system can be controlled with Virtual Network Computing system (VNC). The target’s system is fully compromised, with the attacker having the capability to read and modify all data and applications within the boundaries of the user’s access rights.

This is serious as I know a lot of company issued laptops to have Bitlocker enabled and is using an Intel mobile processor with vPro. At the moment, Intel acknowledges the vulnerability but no patch yet, all they can offer at the moment are tips to keep your devices secure: https://www.intel.com/content/dam/support/us/en/documents/technologies/Intel_AMT_Security_Best_Practices_QA.pdf

 

But then it's also stupid they they're not changing the default password.

Quote

Q2. Are there security concerns with Intel® Active Management Technology?

A2. The Intel® vPro™ platform and its included Active Management Technology has supplied differentiated hardware-assisted security and manageability capabilities to over 100 million systems over the last decade. When Intel receives a report of a potential security vulnerability in our products, we begin evaluation of the report. We confirm the potential vulnerability, assesses the risk, determine the impact, and assign a processing priority. After vulnerability confirmation, the priority determines issue handling throughout the remaining steps in the process. For severe issues requiring immediate mitigation steps, communication occurs through https://www.intel.com/security.

 

Q3. Are there security vulnerabilities in your product(s)?

A3. Intel recognizes our role in improving the security of the computing platform. Intel actively works to identify and resolve security vulnerabilities. In the event that vulnerabilities are identified, the Product Security Incident Response Team (PSIRT) works across Intel and with the security community to understand the vulnerability and the underlying issue. The PSIRT has the responsibility to communicate with our suppliers, customers, and end users. Public communications from the PSIRT team are available at https://www.intel.com/security

 

This makes me wonder if corporations would start looking somewhere else like, I don't know? Move to AMD? Intel and their CEO Brian Krzanich can wish they could catch a break but I think it's time for the likes of Intel, AMD, Qualcomm and even Apple to have more people inspect their microprocessors even before releasing them to the public.

Edited January 13, 2018 by hey_yo_

[mr moose]

This is not an exploit, this is the intel equivalent of not changing the default password on your router then crying design flaw when someone uses your internet and downloads movies.

[Drak3]

This is the tech equivalent of leaving your car unlocked and running for a few hours in a dark alley.

[leadeater]

7 hours ago, NumLock21 said:

Intel AMT is only on those business chipsets. I think it's also has something to with vPro. Some cpus supports vPro, but the board's chipset needs to support it too.

Most non-K SKUs have it, so basically by nature PC gamers who build their own computers likely do not have it but we represent a tiny fraction of PC users.

[LienusLateTips]

AAANNNDDDD watch Intel stocks go down again

[WkdPaul]

@hey_yo_ merged.

[NumLock21]

16 minutes ago, leadeater said:

Most non-K SKUs have it, so basically by nature PC gamers who build their own computers likely do not have it but we represent a tiny fraction of PC users.

Xeon of course, majority of them mobile including 8706G, and some selected non-k socket desktop also have it. 8700k and 8600k has it too.

[leadeater]

1 hour ago, NumLock21 said:

8700k and 8600k has it too.

Yea that's new to 8th gen, last generations vPro was absent from K's. Xeon and desktop have different AMT platforms too, although E3 Xeons use the desktop variant ME and E5/E7 Xeon uses SPS.

[INTELisINNOCENT]

Guys

 

I think we're all overreacting here. Simmer down now.

[Bananasplit_00]

Huh, so i guess the Toaster is actually impacted by this? That's what I get for using a server motherboard I guess

[LAwLz]

18 hours ago, SC2Mitch said:

Intel just brushing it and blaming other people, gee wonder where we've seen this before. 

I am legitimately wondering, where have you seen that before? 

[vorticalbox]

10 hours ago, Drak3 said:

This is the tech equivalent of leaving your car unlocked and running for a few hours in a dark alley.

No it's not. If you're going for a "real world" analogy it's like not changing the default pin on your house alarm.

[Clanscorpia]

18 hours ago, Eduard the weeb said:

at this point I feel like intel may bankrupt it self from the sheer amount of security flaws atm lol

 

also I know this is nearly impossible to happen right now after the strangle hold they have had on the PC market for ever now

Its realistically barely affecting them

[Bit_Guardian]

19 hours ago, SC2Mitch said:

Intel just brushing it and blaming other people, gee wonder where we've seen this before. 

Well it really is the fault of OEMs not changing the password to something more secure post-assembly. Sheesh the tech press are going completely googly-eyed at anything to tear Intel down after the Meltdown announcement and Krzanich's massive stock sale (which Intel has already proven with documents provided to the SEC was entirely above board and planned 2 months prior to Google making the disclosure about Meltdown to the company).