With the recent news of security vulnerabilities in the Intel Active Management Technology, now seemed to be the best time to share how security and network professionals can monitor Intel AMT traffic using their existing flow and metadata collector. In this post, let’s explore what the security vulnerability is, how you can remedy the problem, and how you can look for suspicious activities that indicate a compromised system.
What is the Intel AMT vulnerability?
An F-Secure security researcher has found a way to use Intel’s Active Management Technology (AMT) to bypass BIOS passwords, BitLocker credentials, and TPM pins to gain access to previously-secured corporate computers. Systems that have had Intel AMT provisioned are vulnerable according the Harry Sintonen, the researcher who found the vulnerability. Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades without physical access to devices.
The vulnerability at hand allows attackers to boot via Intel Management Engine BIOS Extension (MEBx) and bypass other login systems. More specifically, computers that have had AMT configured without an AMT password are especially vulnerable. According to Sintonen, a malicious actor with access to the device can press CTRL+P during the boot process and select MEBx for the boot-up routine, thus bypassing BIOS, BitLocker, or TPM logins. While a MEBx password is required, most companies do not change the default password (admin).
How to remedy the Intel AMT vulnerability
Given the sevarity of the vulnerability, it is important for IT professionals to take steps to prevent unwanted access to devices via Intel AMT. As Sintonen says, “anyone who gains access to the device can provision Intel AMT if it hasn’t been done before already. Afterwards, the attacker can gain access to the system remotely, regardless of firewall or VPN solution.”
There are two ways to mitigate the vulnerability. The first step requires that devices be provisioned for Intel AMT. Specifically, it is important to update passwords so that they are not the default. By doing so, attackers who’ve gained access to the system will not be able to bypass the BIOS passwords, BitLocker credentials, or TPM pins. The alternative to provisioning Intel AMT is to disable it completely.
In either instance, the setup requirements to provision or disable Intel AMT are based on your device manufacturers configurations. Consult your OEM for instructions on how to enable or disable Intel AMT for your device.
Monitor Intel AMT traffic
Let’s assume you’ve updated your passwords or disabled Intel AMT on most of the device on your network. How can you be certain that there aren’t any rogue machines on the network that have been made vulnerable by an attacker? Well, thankfully, Intel AMT uses a defined set of ports (16992-16995). IT professionals should look for traffic that is taking place over these ports. If a connection is made to a system from a device that wouldn’t normally be managing remote devices, it is certainly worth looking into.
In the above image, I can see that there is a connection from the 10.60.1.43 device to another device 10.60.1.162 over port 16992. This port is the non-secure web management GUI port for Intel AMT. Since 10.60.1.43 isn’t a device that is authorized to manage remote devices over Intel AMT, I can take control of the issue by accessing the device being connected to and reprovisioning Intel AMT or disabling it entirely. This will prevent further unwanted connections. Additionally, by using the same flow and metadata collector, I can review the corporate assets that were accessed by both machines to see if anything suspicious happened, or if there was a data leak.
Now that you understand the Intel AMT vulnerability and how to monitor Intel AMT traffic, download Scrutinizer today to get the full benefit of network traffic analysis.