Attack is Simple to Exploit, Has Incredible Destructive Potential
Researchers have discovered a flaw in Intel’s Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.
An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.
The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today. It is unrelated to the “Apocalyptic AMT firmware vulnerability” disclosed in May 2017, or the current Meltdown and Spectre issues.
The new flaw is surprising in its simplicity. “It is almost deceptively simple to exploit, but it has incredible destructive potential,” explains Sintonen. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”
The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension — the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default ‘admin’ password will give the attacker access to AMT.
AMT is an out-of-band hardware-based remote management tool. It is chip-level and not dependent on software or an operating system. It requires only power and a connection. Its purpose is to give IT staff remote access to, and therefore control over, corporate devices; and is particularly useful for laptops used away from the office. It is found on computers with Intel vPro-enabled processors, and workstation platforms based on specific Intel Xeon processors — in short, the vast majority of company endpoints.
If attackers have physical access to such a device, one need only boot up the device pressing CTRL-P during the process, and log in to MEBx with ‘admin’. “By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine,” writes F-Secure.
The device itself might be considered secure, with a strong BIOS password, TPM Pin, BitLocker and login credentials — but all of these can be bypassed remotely if the attackers are able to insert themselves onto the same network segment with the victim. “In certain cases,” warns F-Secure, “the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim.”
Once such an attack has succeeded, the target device is fully compromised and the attacker has remote ability to read and modify all data and applications available to the authorized user.
Although physical access is required for the attack, the speed with which it can be accomplished makes the Evil Maid attack (so-called because such attacks can be exploited in a hotel room if a device is left unattended for a brief period of time) a viable threat.
Sintonen describes a potential scenario. “Attackers have identified and located a target they wish to exploit. They approach the target in a public place — an airport, a cafe or a hotel lobby — and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time — the whole operation can take well under a minute to complete,” Sintonen says.
Preventing such Evil Maid attacks is simple in principle, but complex in practice, requiring granular provisioning. AMT should be disabled for all devices that are unlikely to require it. Where it is required, each device needs to be provisioned with a strong password. This needs to be done for both new and currently deployed devices.
“It is recommended to query the amount of affected devices remotely, and narrow the list of assets needing attention down to a more manageable number. For computers connected to a Windows domain, provisioning can be done with Microsoft System Center Configuration Manager,” suggests F-Secure. If any device is found to have an unknown password (in many cases this will be anything other than ‘admin’), that device should be considered suspect and appropriate incident response procedures should be initiated.
Sintonen found the issue in July 2017. However, he also notes that Google’s Parth Shukla mentioned it in an October 2017 presentation titled ‘Intel AMT: Using & Abusing the Ghost in the Machine’ delivered at Hack.lu 2017. Since awareness of the issue is already public knowledge, Sintonen recommends that organizations tackle the problem as soon as possible.