Tag Archives: terrible

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It’s been a terrible new-year-starting for Intel.

Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.

As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.

Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user’s device in less than 30 seconds.

AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.

The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.

In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.

The password doesn’t prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.

Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:

  • easy to exploit without a single line of code,
  • affects most Intel corporate laptops, and
  • could enable attackers to gain remote access to the affected system for later exploitation.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential,” said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year.

“In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdown vulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

Here’s How to Exploit this AMT Issue

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.

The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.

Here, the default password for MEBx is “admin,” which most likely remains unchanged on most corporate laptops.

Once logged in, the attacker can then change the default password and enable remote access, and even set AMT’s user opt-in to “None.”

Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.

Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.

Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an ‘evil maid’ scenario,” Sintonen says.

Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time—the whole operation can take well under a minute to complete.

Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.

Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

oneplus-root-backdoor

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

oneplus

If it’s there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.

EngineerMode has been designed to diagnose issues with GPS, check the root status of the device, perform a series of automated ‘production line’ tests, and many more.

After decompiling the EngineerMod APK, the Twitter user found ‘DiagEnabled’ activity, which if opened with a specific password (It is “Angela”, found after reverse engineering) allows users to gain full root access on the smartphone—without even unlocking the bootloader.

Although the chance of this application already being exploited in the wild is probably low, it seems to be a serious security concern for OnePlus users as root access can be achieved by anyone using a simple command.

root-oneplus-android-phone

Moreover, with root access in hands, an attacker can perform lots of dangerous tasks on victim’s OnePlus phone, including stealthy installing sophisticated spying malware, which is difficult to detect or remove.

Meanwhile, in order to protect themselves and their devices, OnePlus owners can simply disable root on their phones. To do so, run following command on ADB shell:

“setprop persist.sys.adb.engineermode 0” and “setprop persist.sys.adbroot 0” or call code *#8011#

In response to this issue, OnePlus co-founder Carl Pei said that the company is looking into the matter.

The Twitter user has promised to release a one-click rooting app for OnePlus devices using this exploit. We will update the article as soon as it is available.

OnePlus Secretly Collects Way More Data Than It Should — Here’s How to Disable It

oneplus-telemetry-data

There is terrible news for all OnePlus lovers.

Your OnePlus handset, running OxygenOS—the company’s custom version of the Android operating system, is collecting way more data on its users than it requires.

A recent blog post published today by security researcher Christopher Moore on his website detailed the data collection practice by the Shenzhen-based Chinese smartphone maker, revealing that OxygenOS built-in analytics is regularly sending users’ data to OnePlus’ servers.

Collecting basic device data is a usual practice that every software maker and device manufacturers do to identify, analyse and fix software issues and help improve the quality of their products, but OnePlus found collecting user identification information as well.

Moore simply started intercepting the network traffic to analyse what data his OnePlus device sends to its servers, and found that the data collected by the company included:

  • User’ phone number
  • MAC addresses
  • IMEI and IMSI code
  • Mobile network(s) names
  • Wireless network ESSID and BSSID
  • Device serial number
  • Timestamp when a user locks or unlocks the device
  • Timestamp when a user opens and closes an application on his phone
  • Timestamp when a user turns his phone screen on or off

It is clear that above information is enough to identify any OnePlus user.

“Wow, that is quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities,” Moore said.

“It gets even worse. These event data contain timestamps of which activities were fired up in which in applications, again stamped with the phone’s serial number.”

Moreover, there’s no direct option available to disable this data collection behaviour.

This same issue was also publicly reported to OnePlus in July last year by another security researcher and software engineer, who goes by the online moniker “Tux,” but the problem got ignored by OnePlus as well as others.

Moore also reported this issue to OnePlus support, but the team did not provide any solution to address it, while OnePlus did not yet respond.

However, the good news is that Jakub Czekański, an Android developer, today introduced a permanent solution to disable this data collection practice even without rooting your smartphone.

You can directly connect your OnePlus device in USB debugging mode to a computer, open adb shell and enter this command — pm uninstall -k –user 0 net.oneplus.odm — in order to get rid of OnePlus’ excess data collecting practice.

Powered by WPeMatico