
A Security Issue in Intel’s Active Management Technology - buovjaga
https://business.f-secure.com/intel-amt-security-issue
======
luckydude
This doesn't seem like an exploit to me, it seems like saying that your WIFI
AP has a security flaw because you didn't change the default password from
admin/admin.

And it is worse than that, you have to have physical access to the machine. If
you give a hacker physical access to a machine it's pretty much toast.

Am I missing something or is this just clickbait?

~~~
rhubarbtse
It's about enabling a backdoor of sorts in your laptop behind your back.

Let's say you're at a hotel with your laptop. It has full device encryption
enabled and the BIOS is protected with a password and it has all the shebangs
to protect your laptop -- so you should be safe, right?

Someone distracts you for 30 seconds while an accomplice backdoors your laptop
with this vulnerability.

Five minutes later while you're happily browsing Hacker News with your laptop
using the hotel WIFI, the attacker has full and unrestricted access to your
laptop via the very same hotel WIFI.

~~~
adtac
The number zero rule in security is that if a malicious adversary has physical
access to your device, all bets are off.

~~~
luckydude
What adtac said. If I let someone have physical access to any computer I own I
fully expect to be compromised.

And here the issue is, as I understand it, I would have had to have left that
AMT part in place with a default password. I get that it is geeky and maybe
there should be a process where when you buy a new laptop they set the
password to some unique thing and give you a sticky note with the password on
it. I get that a lot of people won't know to change the management password,
but that's an educational issue, just like people had to be taught to not use
"1234" or "admin" as their login password.

Still seems like an over hyped issue but I guess that is part of the
educational process.

I don't feel like this rises to the level of Meltdown or Spectre.

~~~
cjcampbell
I understand your sentiment, but I would argue that this is a flaw. Vendors
need to account for users' ability to notice and assess these sorts of
details. While it's true that most/all defenses eventually fail to a
determined attacker with unrestricted physical access, most users wouldn't
suspect it'd be so easy for someone to orchestrate the attack in their
presence without attracting notice.

Leaving AMT enabled with a default local password when it hasn't been
explicitly provisioned is an oversight by the system manufacturers. Expecting
users (particularly outside the enterprise environment) to discover the
necessary security precautions (without any notable cues) is a problem.

Education may be a short-term solution, but it's no substitute for repairing
the user experience, e.g., by disabling unused AMT features (and preventing
them from being reenabled without authenticated access to a pre-boot or other
system management environment). Save AMT security for the subset of system
owners that need to take advantage of the feature.

~~~
luckydude
As I said elsewhere, I agree, the web server shouldn't be enabled with a
default password.

------
oelmekki
So, if I understand correctly, it allows to bypass BIOS password? Are there
people relying on those? I may understand it's a bit more secure on a laptop,
but on a desktop you just have to remove BIOS battery to reset the password,
anyway. Better encrypt disks and rely on OS authentication (plus, it's easier
to do for non experts).

EDIT: on second reading, I realize the real problem of the thing is to allow
for remote control, provided one can access machine ports.

~~~
als0
Does a modern laptop still depend on CMOS battery for anything other than an
RTC? I thought all BIOS variables today are stored on SPI flash.

~~~
omgtehlion
If you have access to the battery then you have access to the flash chip as
well. Using a right clamp (sop8 usually) you can reflash the thing in a matter
of seconds (I did).

------
a2tech
The security issue is rebooting the machine and logging in with the default
admin password? Thats really not a 'vulnerability'

~~~
tinus_hn
Even if you have a BIOS password and everything locked down and the attacker
can actually lock you out or quickly give themselves a backdoor. The problem
is that there are a million ways in, they're open by default and it is really
hard to keep track of everything you have to lock down, and the manufacturers
keep adding new ones while you're not looking.

The right way for the manufacturers to set this up is

* Everything locked down by default

* One master password for complete control

* Using the master password you can delegate control for users, technicians, applications etc.

* If you forget the master password you can reset it using a switch or something you cannot access without opening up the machine which you cannot do while it is physically locked

But in reality there's all these management 'solutions' that have to be on by
default and then there are the anti theft solutions, the secure boot
restrictions, the 'trusted' platform, the list goes on. And then for the
master password there's of course a backdoor password the helpdesk people can
get if you can convince them the laptop is yours and you just forgot the
password.

~~~
ComodoHacker
>The right way for the manufacturers to set this up is

Is't this the case here? You have master password and you can change it
provided physical access.

~~~
tinus_hn
It's more like an override, provided by a feature many people don't use. If
they were using it they'd probably change the password from 'admin'.

You can't add a backdoor with a password and then claim that's the new master
password.

------
tedunangst
> By selecting Intel’s Management Engine BIOS Extension (MEBx)

Where and how do I do that?

~~~
jlgaddis
On a Dell, try CTRL-P when the Dell logo is showing.

Used to work on Optiplex machines, I don't have any other Dells to try it on.

------
glandium
Note there are documented ways to reset that password even if it's not
"admin", e.g. [http://www.dell.com/support/article/us/en/04/sln49505/how-
to...](http://www.dell.com/support/article/us/en/04/sln49505/how-to-reset-the-
mebx-password-kb-article-334711?lang=en)

------
acd
I want to be able to buy devices and CPUs without these so called management
features which about 100% of them turns out to have security holes.

If it can be hacked it will be hacked.

------
anonymousjunior
Am I the only one with IAM fatigue at this point, feels like we get a headline
like this at a rate of one a week now

------
mistaken
No shit, Sherlock. You can log in with the default password.

