An F-Secure security researcher has found a way to use Intel’s Active Management Technology (AMT) to bypass BIOS passwords, BitLocker credentials, and TPM pins and gain access to previously-secured corporate computers.

Only laptops and computers on which Intel AMT has been provisioned (configured) are vulnerable, according to F-Secure security researcher Harry Sintonen, the one who claims to have discovered the issue last July.

Intel AMT is a feature of Intel CPUs that allows system administrators of larger networks to perform remote out-of-band management of personal computers in order to monitor, maintain, update, or perform upgrades from afar, without physical access to devices.

Attackers can boot via MEBx and bypass other login systems

Sintonen says that computers on which AMT has been configured without an AMT password are vulnerable.

He says a malicious actor with access to the device can press CTRL+P during the boot-up process and select the Intel Management Engine BIOS Extension (MEBx) for the boot-up routine, effectively bypassing any previous BIOS, BitLocker, or TPM logins.

A MEBx password is required, but Sintonen says that in most cases companies do not change the default, which is “admin.”

The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA…

[SOURCE]