20 January 2018

Intel’s Active Management Technology (AMT) offers impressive management features to company IT shops:

• Asset discovery
• Out-of-band management functions to fix systems even if the OS went down
• Contain the impact of malware

As any other software, AMT has configuration issues and vulnerabilities. For example, in 2015 default factory settings could be leveraged by an attacker to gain full control over devices from the network. Last year, four vulnerabilities were published in the NVD Database.

The latest configuration issue published on January 12, 2018 by F-Secure researchers allows attackers with physical access to compromise systems easily:

Just press CTRL-P during boot and log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”. With this, an attacker can reconfigure the system to allow for example remote access once the system is booted and left unattended.

This type of attack is called Evil Maid Attack. It is used especially by cyber criminals and nation state actors to compromise systems.

Although Intel made recommendations to mitigate this issue, the F-Secure report makes clear, that the OEM’s did not implement them and that the system managers did not change the AMT password on delivery to the users.

With this, we have no choice but to set individual AMT and BIOS passwords on all laptops and mobile devices with AMT enabled. This is going to be a hard job in companies with some thousand devices.

A risk based approach makes sense: Start with the top management and employees which have access to business-critical information.

Have a great weekend.