5 May, 2017

What You Need To Know About The Intel AMT Vulnerability

May 5, 2017 – Embedi For the first time since Intel made the Intel ME vulnerability known to the public, Embedi has now been granted permission to reveal the technical details publicly. Embedi, which detected the Intel AMT vulnerability in mid-February of this year, feared releasing the details before it was fixed would spark attacks on Intel AMT business users. Intel representatives were informed in March

Download whitepaper (PDF 429 KB)

The Intel AMT vulnerability is the first of its kind. The exploitation allows an attacker to get full control over a business computers, even if they are turned off (but still plugged into an outlet). We really hope by bringing this to light, it will raise awareness about security issues in firmware and avoid possible issues in the future.

By nature, the Intel AMT exploitation bypasses authentication. In other words, an attacker may have no credentials and still be able to use the Intel AMT functionality. Access to ports 16992/16993 are the only requirement to perform a successful attack.

Among all of the functions of Intel AMT vulnerability, we can distinguish the most important:

  • Remote control of mouse/keyboard/monitor;
  • Remotely change the boot device;
  • Power on and off as well as reboot and reset the computer.

We hope that in the future no such vulnerabilities will emerge at the firmware level. There are several code execution levels in a computer system’s environment. The highest level being the user level where users interact with the applications, having minimal privileges. The lowest level being Intel ME, which has the highest amount of privileges and can cause the most amount of damage.

The age of smart devices is advancing at a rapid pace, we hope that device and firmware developers understand the importance of security because shattering consumer’s confidence is a perilous endeavor.