• United States

Configuration errors in Intel workstations being labeled a security hole

News Analysis
Jan 16, 20183 mins
Computers and PeripheralsIntelSecurity

The issue is in specific desktops and laptops but is not a technical one, company says.

data breach security threat lock crime spyware
Credit: Thinkstock

Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.

Last June, researchers at F-Secure found a flaw in Intel’s Active Management Technology (AMT), a feature used to perform remote updates to advanced desktops using Intel vPro or workstation platforms using Core desktop chips and certain Xeon CPUs. Xeon is primarily a server processor but there are some low-end chips used in high-performance workstations, such as those used in a CAD environment.

AMT is designed to allow administrators to access and perform updates to PCs even if the PCs are turned off, so that they don’t have to go from computer to computer performing updates. Instead, an update is pushed out from a central location.

What F-Secure found is that an attacker can gain full access to an entire machine, including encryption keys. The vulnerability allows a local intruder — key word local — to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, the F-Secure security consultant who found the bug in a blog post.

Normally computers with AMT have a BIOS password to prevent making low-level changes, but due to insecure defaults in the BIOS and AMT’s BIOS extension (MEBx) configuration, an attacker with physical access can log in using the default password “admin.” Given the bad security habits of many people, there’s a good chance this default password was not changed.

By changing the default password, enabling remote access and setting AMT’s user opt-in to “None,” the attacker has now backdoored the machine and can gain access to the system remotely, assuming the attacker is on the same network as the target machine.

Intel says this is a problem in how the machine is configured by the OEM. Its recommendation is that MEBx access be gated by the BIOS password and has said so since 2015. What F-Secure found is that some system manufacturers were not requiring a BIOS password to access MEBx. So it updated its guidance for proper AMT/MEBx security in December.

Again, it must be emphasized that this is a) an exploit that requires local access to the computer, b) requires the attacker to be on the same network for further exploits, and c) does not impact Xeon servers. With the hysteria over Meltdown, this vulnerability is getting a bit of shrill coverage that is not warranted.

Intel, though, has to tighten up AMT, because this is not the first problem to emerge. Last year, security researchers also found vulnerabilities in Intel AMT, which could have allowed attackers to “access everything,” including memory and encryption keys. Intel has since released patches.

Andy Patrizio is a freelance journalist based in southern California who has covered the computer industry for 20 years and has built every x86 PC he’s ever owned, laptops not included.

The opinions expressed in this blog are those of the author and do not necessarily represent those of ITworld, Network World, its parent, subsidiary or affiliated companies.

More from this author