CS1801
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
editor's focus<br />
Although the initial attack requires physical<br />
access, Sintonen explains that the speed with<br />
which it can be carried out makes it easily<br />
exploitable in a so-called 'evil maid' scenario.<br />
"You leave your laptop in your hotel room<br />
while you go out for a drink. The attacker<br />
breaks into your room and configures your<br />
laptop in less than a minute and now he or<br />
she can access your desktop when you use<br />
your laptop in the hotel WLAN. And since the<br />
computer connects to your company VPN,<br />
the attacker can access company resources."<br />
INSTANT DAMAGE<br />
Sintonen points out that, even a minute of<br />
distracting a target from their laptop at an<br />
airport or coffee shop, is enough to do the<br />
damage. He stumbled upon the issue in July<br />
2017 and notes that another researcher*<br />
also mentioned it in a more recent talk. For<br />
this reason, it's especially important that<br />
organisations know about the unsafe default,<br />
so they can fix it before it begins to be<br />
exploited. A similar vulnerability has also been<br />
previously pointed out by CERT-Bund, but<br />
with regards to USB provisioning, he says.<br />
The issue affects most, if not all, laptops<br />
that support Intel Management Engine/Intel<br />
AMT. It is unrelated to the recently disclosed<br />
Spectre and Meltdown vulnerabilities,<br />
however.<br />
What to do then? Intel recommends that<br />
vendors require the BIOS password to<br />
provision Intel AMT. And yet many device<br />
manufacturers do not follow this advice. To<br />
stay safe, organisations should run with the<br />
least privileged access, states Intel, keeping<br />
firmware, security software and operating<br />
systems up to date.<br />
Intel also points out: "Intel makes every<br />
effort to protect our platforms from attack<br />
and takes reports of issues seriously,<br />
investigating each to determine merit and<br />
opportunities to further enhance system<br />
security." It adds: "To exploit the potential<br />
vulnerability, a malicious user would need<br />
physical possession of the system, in order to<br />
attempt manipulation of Intel AMT TLS<br />
configurations."<br />
On its website, it has a Q&A section<br />
addressing some of the concerns raised in<br />
this article. Here is a taster:<br />
Are there security concerns with Intel Active<br />
Management Technology?<br />
Intel: The Intel vPro platform and its included<br />
Active Management Technology has supplied<br />
differentiated hardware-assisted security and<br />
manageability capabilities to over 100 million<br />
systems over the last decade. When Intel<br />
receives a report of a potential security<br />
vulnerability in our products, we begin<br />
evaluation of the report. We confirm the<br />
potential vulnerability, assesses the risk,<br />
determine the impact, and assign a<br />
processing priority. After vulnerability<br />
confirmation, the priority determines issue<br />
handling throughout the remaining steps<br />
in the process. For severe issues requiring<br />
immediate mitigation steps, communication<br />
occurs through:<br />
https://www.intel.com/security.<br />
Are there security vulnerabilities in your<br />
product(s)?<br />
Intel recognises our role in improving the<br />
security of the computing platform. Intel<br />
actively works to identify and resolve security<br />
vulnerabilities. In the event that vulnerabilities<br />
are identified, the Product Security Incident<br />
Response Team (PSIRT) works across Intel and<br />
with the security community to understand<br />
the vulnerability and the underlying issue. The<br />
PSIRT has the responsibility to communicate<br />
with our suppliers, customers, and end users.<br />
Public communications from the PSIRT team<br />
are available at:<br />
https://www.intel.com/security.<br />
If Intel knew of a security issue with its<br />
products would you disclose that issue?<br />
Intel is committed to addressing security<br />
vulnerabilities affecting our customers and<br />
providing responsible guidance on the<br />
solution, impact, severity and mitigation.<br />
The latest information about product security<br />
Harry Sintonen, F-Secure.<br />
issues is available on our portal:<br />
https://security-center.intel.com.<br />
What prevents malicious software from<br />
using Intel AMT to exploit a PC and what<br />
authentication mechanism is used to prevent<br />
an unauthorised person from gaining access?<br />
Access and communications between Intel<br />
AMT and authorised management consoles<br />
can be fully encrypted. Even if authorised<br />
management consoles are not 'encrypted',<br />
the communication with Intel AMT requires<br />
valid credential setup during configuration,<br />
either digest authentication or Kerberos<br />
authentication are supported. It is also<br />
possible to setup Intel AMT to require a<br />
client x509v3 certificate (aka TLS mutual<br />
authentication) to provide additional security.<br />
In addition, IT administrators' access can be<br />
limited to only certain remote features and<br />
full privilege can be granted only to those<br />
with Admin rights. Intel AMT also includes<br />
an Access Monitor feature that allows only<br />
an Auditor to clear out logs to help deter<br />
malicious insider attacks.<br />
*Parth Shukla, Google, October 2017 'Intel AMT:<br />
Using & Abusing the Ghost in the Machine'.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2018 computing security<br />
07