Views
1 year ago

CSLATEST

editor's focus LAPTOPS

editor's focus LAPTOPS BLITZED IN UNDER 30 SECONDS WHAT IF YOUR LAPTOP COULD BE 'BACKDOORED' VIA A TECHNOLOGY ALMOST EVERYONE USES AND TRUSTS: INTEL. IT'S NOT SIMPLY A POSSIBILITY, HOWEVER - IT'S BEEN REPORTED AS HAPPENING ON A MASSIVE SCALE It was interesting and worrying, to see an alert on a security issue that allegedly has been affecting most corporate laptops, allowing an attacker with physical access to 'backdoor' a device in less than 30 seconds. According to F-Secure, the vulnerability allows an attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and thus to gain remote access for later exploitation. It exists, according to the company, within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally. The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential", says Harry Sintonen, who investigated the issue in his role as senior security consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures." DEVICE FLEETS Intel AMT is a solution for remote access monitoring and maintenance of corporategrade personal computers, created to allow IT departments or managed service providers to better control their device fleets. The technology, which is commonly found in corporate laptops, has been called out for security weaknesses in the past, but the pure simplicity of exploiting this particular issue sets it apart from previous instances. The weakness can be exploited in mere seconds without a single line of code. The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent unauthorised access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible. To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, 'admin', as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT's user opt-in to 'None' The attacker can now gain remote access to the system from both wireless and wired networks, as long as they're able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server. 06 computing security Jan/Feb 2018 @CSMagAndAwards www.computingsecurity.co.uk

editor's focus Although the initial attack requires physical access, Sintonen explains that the speed with which it can be carried out makes it easily exploitable in a so-called 'evil maid' scenario. "You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources." INSTANT DAMAGE Sintonen points out that, even a minute of distracting a target from their laptop at an airport or coffee shop, is enough to do the damage. He stumbled upon the issue in July 2017 and notes that another researcher* also mentioned it in a more recent talk. For this reason, it's especially important that organisations know about the unsafe default, so they can fix it before it begins to be exploited. A similar vulnerability has also been previously pointed out by CERT-Bund, but with regards to USB provisioning, he says. The issue affects most, if not all, laptops that support Intel Management Engine/Intel AMT. It is unrelated to the recently disclosed Spectre and Meltdown vulnerabilities, however. What to do then? Intel recommends that vendors require the BIOS password to provision Intel AMT. And yet many device manufacturers do not follow this advice. To stay safe, organisations should run with the least privileged access, states Intel, keeping firmware, security software and operating systems up to date. Intel also points out: "Intel makes every effort to protect our platforms from attack and takes reports of issues seriously, investigating each to determine merit and opportunities to further enhance system security." It adds: "To exploit the potential vulnerability, a malicious user would need physical possession of the system, in order to attempt manipulation of Intel AMT TLS configurations." On its website, it has a Q&A section addressing some of the concerns raised in this article. Here is a taster: Are there security concerns with Intel Active Management Technology? Intel: The Intel vPro platform and its included Active Management Technology has supplied differentiated hardware-assisted security and manageability capabilities to over 100 million systems over the last decade. When Intel receives a report of a potential security vulnerability in our products, we begin evaluation of the report. We confirm the potential vulnerability, assesses the risk, determine the impact, and assign a processing priority. After vulnerability confirmation, the priority determines issue handling throughout the remaining steps in the process. For severe issues requiring immediate mitigation steps, communication occurs through: https://www.intel.com/security. Are there security vulnerabilities in your product(s)? Intel recognises our role in improving the security of the computing platform. Intel actively works to identify and resolve security vulnerabilities. In the event that vulnerabilities are identified, the Product Security Incident Response Team (PSIRT) works across Intel and with the security community to understand the vulnerability and the underlying issue. The PSIRT has the responsibility to communicate with our suppliers, customers, and end users. Public communications from the PSIRT team are available at: https://www.intel.com/security. If Intel knew of a security issue with its products would you disclose that issue? Intel is committed to addressing security vulnerabilities affecting our customers and providing responsible guidance on the solution, impact, severity and mitigation. The latest information about product security Harry Sintonen, F-Secure. issues is available on our portal: https://security-center.intel.com. What prevents malicious software from using Intel AMT to exploit a PC and what authentication mechanism is used to prevent an unauthorised person from gaining access? Access and communications between Intel AMT and authorised management consoles can be fully encrypted. Even if authorised management consoles are not 'encrypted', the communication with Intel AMT requires valid credential setup during configuration, either digest authentication or Kerberos authentication are supported. It is also possible to setup Intel AMT to require a client x509v3 certificate (aka TLS mutual authentication) to provide additional security. In addition, IT administrators' access can be limited to only certain remote features and full privilege can be granted only to those with Admin rights. Intel AMT also includes an Access Monitor feature that allows only an Auditor to clear out logs to help deter malicious insider attacks. *Parth Shukla, Google, October 2017 'Intel AMT: Using & Abusing the Ghost in the Machine'. www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2018 computing security 07