CS1801
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
editor's focus<br />
LAPTOPS BLITZED IN UNDER 30 SECONDS<br />
WHAT IF YOUR LAPTOP COULD BE 'BACKDOORED' VIA A TECHNOLOGY ALMOST EVERYONE USES AND<br />
TRUSTS: INTEL. IT'S NOT SIMPLY A POSSIBILITY, HOWEVER - IT'S BEEN REPORTED AS HAPPENING ON<br />
A MASSIVE SCALE<br />
It was interesting and worrying, to see an<br />
alert on a security issue that allegedly has<br />
been affecting most corporate laptops,<br />
allowing an attacker with physical access to<br />
'backdoor' a device in less than 30 seconds.<br />
According to F-Secure, the vulnerability<br />
allows an attacker to bypass the need to<br />
enter credentials, including BIOS and Bitlocker<br />
passwords and TPM pins, and thus to gain<br />
remote access for later exploitation. It exists,<br />
according to the company, within Intel's<br />
Active Management Technology (AMT) and<br />
potentially affects millions of laptops globally.<br />
The security issue "is almost deceptively<br />
simple to exploit, but it has incredible<br />
destructive potential", says Harry Sintonen,<br />
who investigated the issue in his role as<br />
senior security consultant at F-Secure. "In<br />
practice, it can give an attacker complete<br />
control over an individual's work laptop,<br />
despite even the most extensive security<br />
measures."<br />
DEVICE FLEETS<br />
Intel AMT is a solution for remote access<br />
monitoring and maintenance of corporategrade<br />
personal computers, created to allow<br />
IT departments or managed service providers<br />
to better control their device fleets. The<br />
technology, which is commonly found in<br />
corporate laptops, has been called out for<br />
security weaknesses in the past, but the pure<br />
simplicity of exploiting this particular issue<br />
sets it apart from previous instances. The<br />
weakness can be exploited in mere seconds<br />
without a single line of code.<br />
The essence of the security issue is that<br />
setting a BIOS password, which normally<br />
prevents an unauthorised user from booting<br />
up the device or making low-level changes to<br />
it, does not prevent unauthorised access to<br />
the AMT BIOS extension. This allows an<br />
attacker access to configure AMT and make<br />
remote exploitation possible.<br />
To exploit this, all an attacker needs to do is<br />
reboot or power up the target machine and<br />
press CTRL-P during bootup. The attacker<br />
then may log into Intel Management Engine<br />
BIOS Extension (MEBx) using the default<br />
password, 'admin', as this default is most<br />
likely unchanged on most corporate laptops.<br />
The attacker then may change the default<br />
password, enable remote access and set<br />
AMT's user opt-in to 'None'<br />
The attacker can now gain remote access to<br />
the system from both wireless and wired<br />
networks, as long as they're able to insert<br />
themselves onto the same network segment<br />
with the victim. Access to the device may also<br />
be possible from outside the local network<br />
via an attacker-operated CIRA server.<br />
06<br />
computing security Jan/Feb 2018 @CSMagAndAwards www.computingsecurity.co.uk