Researcher Reports of Another Intel Vulnerability Affecting Corporate Laptops

The bad news for the security of devices with Intel technology does not end with the recently discovered Spectre and Meltdown vulnerabilities. Researcher Harry Sintonen from the Finnish company F-Secure reports about another dangerous bug that could potentially affect millions of corporate laptops. Apparently, Sintonen has noticed the vulnerability already in July 2017 after spotting some unsafe and misleading default behavior of the Active Management Technology (AMT) - Intel's proprietary remote access maintenance and monitoring solution that allows IT departments of large companies to have better control over their corporate computers.

A potential attack which exploits this particular weakness in Intel's technology requires physical access to the target device, and it looks simple to conduct, yet it could have huge destructive potential as it gives the attacker complete control over someone's work laptop. Reading or modifying data is the least of the possible damages of such authorized access, deploying malware despite the presence of any security solution could be the worst. Moreover, Sintonen points out that a local intruder could gain access to nearly any corporate computer within just a few seconds even if security measures like TPM Pin, BIOS Password, BitLocker and login credentials are running.

The attack starts by rebooting the target PC and entering the boot menu. The vulnerability hides in the possibility to avoid the BIOS password check by selecting Intel's Management Engine BIOS Extension (MEBs). Then, the attacker can log in using the default "admin" password, given that the user has not changed it, which is likely the case. After that, to compromise effectively the machine, the intruder only needs to change the default password, enable remote access and set AMT's user opt-in to "None." From then on, it is easy to gain remote access to the target PC by connecting to the same network.

The way to resolve this security flaw seems simple at first sight, though the experts say that it is rather complicated to implement. Apart from advising employees never to leave their laptops unobserved, companies should see that their corporate machines have all set a strong AMT password, or if possible, completely disabled the service. Ironically enough, the required changes in Intel's AMT cannot be executed remotely, meaning that the ID departments should go through every single of the company's machines and implement the necessary changes, which could be very costly and time-consuming on a large scale. Another recommendation to limit the impact of a potential attack would be to narrow down the number of affected assets.