Whew, what a month in computer security. You’re likely familiar with the massive computer chip flaws that can impact chips from every major manufacturer – ARM, AMD and Intel. This puts almost every computer, smartphone and tablet at risk of these attacks.
However, a new security issue has been revealed in Intel computers and it can give an attacker full remote access to your machine without even the need for special skills nor malware tools. All it takes is a simple reboot of your machine.
The weakness was discovered by F-Secure senior security consultant Harry Sintonen back in July 2017 and it was publicly disclosed on January 12.
This is a totally different issue apart from the massive Meltdown and Spectre chip flaws and the similar AMT hack discovered back in May.
What is this deceptively simple hacking technique and what can you do to protect your computer against it?
This new attack is dubbed “Evil Maid” and it can reportedly give an attacker complete remote control over your Intel-based computer with just a few seconds of physical access to a laptop or workstation.
A would-be hacker won’t even need special tools or software to execute the attack. All it takes is a simple exploit of management tools built into most Intel-based computers.
Here’s how it can be set up and it’s bafflingly unsophisticated. An attacker can simply walk to a target machine, shut it down and reboot it, enter the computer’s boot menu then simply enter Intel’s Active Management Technology (AMT) feature by logging in with the default password “admin.”
Note: AMT is commonly used by IT administrators to remotely access Intel-based computers for support, maintenance and software updates. Additionally, AMT allows for remote control of a computer’s mouse and keyboard even when it’s off.
Normally, a BIOS password will protect a computer from harmful local attacks but according to Sintonen, most users are not aware that setting a BIOS password does not protect Intel’s AMT feature. Oftentimes, users and even IT administrators neglect to change the AMT password from the factory default since it’s not readily apparent.
All an attacker needs now to remotely control the machine is to set his or her own password, enable remote access and set AMT’s user opt-in to “None.”
This means as long as an attacker is on the same network as the target computer they can effectively have full control over the machine.
You may think that this attack may not have real-world consequences but think about it – in publicly shared Wi-Fi networks like the ones in airports, hotels, coffee shops or restaurants, an attacker can simply walk to your laptop, reboot it, change the AMT settings and have complete remote control over it. (Hence the name “Evil Maid”).
“Attackers have identified and located a target they wish to exploit. They approach the target in a public place – an airport, a café or a hotel lobby – and engage in an ‘evil maid’ scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time – the whole operation can take well under a minute to complete,” Sintonen explained.
How to protect your computers
First, check if your computer is AMT enabled. These are typically the Intel vPro based machines with Intel Centrino and Intel Core 2 processors. Not sure? Check for the vPro badge on your computer’s “Intel Inside” stickers.
Now, since a hacker will still need physical access to a computer to execute this attack, it is advised that you not leave your affected laptop unattended in an unsecured location, especially in public spaces, not even for a few minutes.
Also, avoid leaving your laptops unattended in hotel rooms, too, since anyone with rudimentary computer skills can simply turn it on and change the AMT settings.
For real protection, set a strong password for AMT or disable it completely. Intel has a number of recommendations for network administrators for securing AMT so if you’re managing multiple network computers, please check this page for your options.
However, for small to large businesses with a sizeable number of workstations, these mitigations may require mass-scale network reconfigurations since they can’t be done remotely.
Windows chip flaw patch is crashing some PCs, making them unbootable
Here’s another computer problem that you need to know about. It appears that Microsoft’s Windows patch against the recently discovered Meltdown chip flaw is crashing certain PCs. Click here to learn why.