Most office laptops now vulnerable to attack

The Finnish cyber security firm F-Secure on Friday reported a security issue affecting most of the corporate laptops that provides an attacker the opportunity to have physical access to the backdoor of a device in less than 30 seconds.

The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, to gain remote access for later exploitation, said F-Security in a press release.

The issue is integrated in Intel’s Active Management Technology (AMT) and potentially affects millions of laptops across the globe.

The security flaw “is almost deceptively simple to exploit, but it has incredible destructive potential,” said F-Secure Senior Security Consultant Harry Sintonen, who investigated and detected the vulnerability. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code.

The security weakness is essentially the fact that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker the opportunity to access and configure the AMT and make remote exploitation possible.

To exploit this, all that an attacker has to do is to reboot or power up the target machine and press CTRL-P during the boot-up. The attacker then may log into the Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system through both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easy to do in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”

Sintonen points out that distracting a target from his/her laptop at an airport or coffee shop even for a minute is time enough to do the damage.

Sintonen stumbled upon the fault in July 2017, and notes that another researcher also mentioned it in a more recent talk. For this reason, it’s especially important that organisations know about the unsafe default, so they can fix it before it begins to be exploited. A similar vulnerability was pointed out in the past by CERT-Bund but it was related to USB provisioning, Sintonen said.

The issue affects most, if not all, laptops that support Intel Management Engine / Intel AMT, and is in no way related to the recently disclosed Spectre and Meltdown vulnerabilities.

Intel recommends that vendors should require the BIOS password to provision Intel AMT. However, many device manufacturers do not follow this guideline.