{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2018-002.pdf" }, "title": "INTEL AMT Security Issue", "serial_number": "2018-002", "publish_date": "12-01-2018 15:33:00", "description": "On January 12th 2018, F-Secure reported a security issue affecting laptops supporting Intel\u2019s Active Management Technology (AMT). The issue allows an attacker with physical access to the laptop to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation.", "url_title": "2018-002", "content_markdown": "---\ntitle: 'INTEL AMT Security Issue'\nversion: '1.0'\nnumber: '2018-002'\ndate: 'January 12, 2018'\n---\n\n_History:_\n\n* _12/01/2018 --- v1.0: Initial publication_\n\n# Summary\n\nOn January 12th 2018, F-Secure reported a security issue affecting laptops supporting Intel\u2019s Active Management Technology (AMT) [1]. The issue allows an attacker with physical access to the laptop to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation.\n\nThe flaw described is caused by a weak default configuration on Intel Management Engine BIOS Extension (MEBx). The BIOS extension is accessible even if a password is set up for the BIOS.\n\n# Technical Details\n\nIntel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets.\n\nThe Intel Management Engine BIOS Extension (MEBx) can be accessed by pressing `CTRL-P` during bootup. The default password is `admin`. If unchanged, The attacker then can change the default password, enable remote access and set AMT\u2019s user opt-in to `None`. The attacker can now access the laptop if connected to the same network segment from wired or wireless networks.\n\n# Recommendations\n\nIf AMT is not needed, deactivate it in the BIOS configuration.\n\nIf it is needed, change the default password to a strong one -- following the password policy in place.\n\n\n# References\n\n[1] \n", "content_html": "

History:

Summary

On January 12th 2018, F-Secure reported a security issue affecting laptops supporting Intel\u2019s Active Management Technology (AMT) [1]. The issue allows an attacker with physical access to the laptop to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation.

The flaw described is caused by a weak default configuration on Intel Management Engine BIOS Extension (MEBx). The BIOS extension is accessible even if a password is set up for the BIOS.

Technical Details

Intel AMT is a solution for remote access monitoring and maintenance of corporate-grade personal computers, created to allow IT departments or managed service providers to better control their device fleets.

The Intel Management Engine BIOS Extension (MEBx) can be accessed by pressing CTRL-P during bootup. The default password is admin. If unchanged, The attacker then can change the default password, enable remote access and set AMT\u2019s user opt-in to None. The attacker can now access the laptop if connected to the same network segment from wired or wireless networks.

Recommendations

If AMT is not needed, deactivate it in the BIOS configuration.

If it is needed, change the default password to a strong one -- following the password policy in place.

References

[1] https://press.f-secure.com/2018/01/12/intel-amt-security-issue-lets-attackers-bypass-login-credentials-in-corporate-laptops/

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }