eSentire White Logo

Security advisories | Feb 26, 2019

Intel AMT Security Issue

A security issue has been discovered in Intel Active Management Technology (AMT) that allows a threat actor with physical access to an Intel device to set up remote access for future attacks. This is only applicable to users that have not changed the default password for AMT. The attack is considered to be relatively simple by researchers and the backdooring process takes less than 30 seconds to complete. No user credentials or additional methods of authentication are required to perform the attack. At this time, it is assessed with Medium Confidence that this attack is not being used in the wild, but due to its simplicity and destructive potential, it may be quickly adapted by cybercriminals.

What you should do about it

  • Guarantee that corporate Intel devices are physically secured at all times
  • If AMT is not required for business purposes, disable it on corporate devices
  • If AMT is required, ensure that a strong password is enabled

Additional Information

  • To exploit this security issue, a threat actor simply needs to power up the machine and press CTRL+P. From here, the threat actor can log into Intel Management Engine BIOS Extension using the publicly available default password, then change it to a password of their choice. Once this access has been achieved, the threat actor simply needs to enable remote access and set the user opt-in to “none”.
  • At this time, Intel has not released any patches, but points concerned users to their document on best configuration practices [1].

[1]PDF: Security Best Practices of Intel® Active Management Technology Q&A December 2017