Connect with us

Hi, what are you looking for?


Endpoint Security

Simple Attack Allows Full Remote Access to Most Corporate Laptops

Remote Attack Leverages Flaw in Intel AMT Technology

Attack is Simple to Exploit, Has Incredible Destructive Potential

Remote Attack Leverages Flaw in Intel AMT Technology

Attack is Simple to Exploit, Has Incredible Destructive Potential

Researchers have discovered a flaw in Intel’s Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.

An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.

The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today. It is unrelated to the “Apocalyptic AMT firmware vulnerability” disclosed in May 2017, or the current Meltdown and Spectre issues.

The new flaw is surprising in its simplicity. “It is almost deceptively simple to exploit, but it has incredible destructive potential,” explains Sintonen. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension — the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default ‘admin’ password will give the attacker access to AMT.

AMT is an out-of-band hardware-based remote management tool. It is chip-level and not dependent on software or an operating system. It requires only power and a connection. Its purpose is to give IT staff remote access to, and therefore control over, corporate devices; and is particularly useful for laptops used away from the office. It is found on computers with Intel vPro-enabled processors, and workstation platforms based on specific Intel Xeon processors — in short, the vast majority of company endpoints. 

Advertisement. Scroll to continue reading.

If attackers have physical access to such a device, one need only boot up the device pressing CTRL-P during the process, and log in to MEBx with ‘admin’. “By changing the default password, enabling remote access and setting AMT’s user opt-in to “None”, a quick-fingered cyber criminal has effectively compromised the machine,” writes F-Secure. 

The device itself might be considered secure, with a strong BIOS password, TPM Pin, BitLocker and login credentials — but all of these can be bypassed remotely if the attackers are able to insert themselves onto the same network segment with the victim. “In certain cases,” warns F-Secure, “the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim.”

Once such an attack has succeeded, the target device is fully compromised and the attacker has remote ability to read and modify all data and applications available to the authorized user.

Although physical access is required for the attack, the speed with which it can be accomplished makes the Evil Maid attack (so-called because such attacks can be exploited in a hotel room if a device is left unattended for a brief period of time) a viable threat. 

Sintonen describes a potential scenario. “Attackers have identified and located a target they wish to exploit. They approach the target in a public place — an airport, a cafe or a hotel lobby — and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time — the whole operation can take well under a minute to complete,” Sintonen says.

Preventing such Evil Maid attacks is simple in principle, but complex in practice, requiring granular provisioning. AMT should be disabled for all devices that are unlikely to require it. Where it is required, each device needs to be provisioned with a strong password. This needs to be done for both new and currently deployed devices.

“It is recommended to query the amount of affected devices remotely, and narrow the list of assets needing attention down to a more manageable number. For computers connected to a Windows domain, provisioning can be done with Microsoft System Center Configuration Manager,” suggests F-Secure. If any device is found to have an unknown password (in many cases this will be anything other than ‘admin’), that device should be considered suspect and appropriate incident response procedures should be initiated.

Sintonen found the issue in July 2017. However, he also notes that Google’s Parth Shukla mentioned it in an October 2017 presentation titled ‘Intel AMT: Using & Abusing the Ghost in the Machine’ delivered at 2017. Since awareness of the issue is already public knowledge, Sintonen recommends that organizations tackle the problem as soon as possible.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...