Intel’s AMT vulnerability – Return of the Spectre

Read on …

In the midst of the roll out of recent patches by Intel, to counter the Spectre and Meldown security flaws, a new flaw has come to light. A security company in Finland has found a new flaw that allows a hacker to remotely access a system.

So what’s required?
Physical access to the system is required in the first instance to compromise the system. Then run a single line of code to enable remote access.

What’s AMT?
Intel has a feature called AMT that comes with Intel chipsets meant for IT admins to better control and managed a fleet of devices remotely. This is especially used in mid to large organizations.

BIOS password prevents an unauthorized user from booting up the device or making changes to the boot-up process. However, it does not prevent unauthorized access of Intel’s AMT feature.

How it is done?
Once the attacker gets physical access to the system, he can startup/reboot the computer, press control-P during the boot up and bypass the BIOS password using “AMT BIOS extension” with a default username (usually this would be left untouched). The attacker then needs to add a line of code in the authorization digest console.

The syntax is similar to this – strncmp (string_1, string_2 , length).

This code is an example and is available on the web publicly. Attacker then gains access to the AMT console without a password and can enable remote access on the computer through the AMT console. I’ve performed oneĀ of these on my un-patched HP laptop at home so I do know that it works. Depending on the computer, this compromise can as short as 40 seconds although, having physical access to the computer makes this harder to do. This type of an attack would fall under organized crime.

Quick and simple recommendations
1. Intel has already released a detection and mitigation tool available here . Use the tool to apply the firmware update and mitigate the risk.

2. The other options is to disable AMT altogether.

3. If the above is not possible, change the default username in AMT. This makes it harder to guess the username and perform the attack.

4. Do not leave the computer unattended in a public place

Found this useful? Like and spread the word….


Thanks for reading! Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s