AMT is Intel’s remote maintenance feature used on Intel vPro-enabled and Xeon processors. MEBx is a BIOS extension used to manually configuring the AMT service. When configured properly, MEBx is password protected.
Researchers at F-Secure,
who outlined their research in blog post Friday, said typically users don’t change the MEBx password from the default password “admin”.
“The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place,” F-Secure wrote.
The attack starts with a reboot the target’s laptop/desktop into the PC’s boot menu. Typically, an adversary would not be able to bypass a BIOS password, stopping the attack in its tracks, said researchers.
“In this case, however, the attacker has a workaround: AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), they can log in using the default password ‘admin,’ as this hasn’t most likely been changed by the user. By changing the default password, enabling remote access and setting AMT’s user opt-in to ‘None’, a quick-fingered cyber criminal has effectively compromised the machine,” F-Secure wrote.