And it is worse than that, you have to have physical access to the machine. If you give a hacker physical access to a machine it's pretty much toast.
Am I missing something or is this just clickbait?
Let's say you're at a hotel with your laptop. It has full device encryption enabled and the BIOS is protected with a password and it has all the shebangs to protect your laptop -- so you should be safe, right?
Someone distracts you for 30 seconds while an accomplice backdoors your laptop with this vulnerability.
Five minutes later while you're happily browsing Hacker News with your laptop using the hotel WIFI, the attacker has full and unrestricted access to your laptop via the very same hotel WIFI.
And here the issue is, as I understand it, I would have had to have left that AMT part in place with a default password. I get that it is geeky and maybe there should be a process where when you buy a new laptop they set the password to some unique thing and give you a sticky note with the password on it. I get that a lot of people won't know to change the management password, but that's an educational issue, just like people had to be taught to not use "1234" or "admin" as their login password.
Still seems like an over hyped issue but I guess that is part of the educational process.
I don't feel like this rises to the level of Meltdown or Spectre.
Leaving AMT enabled with a default local password when it hasn't been explicitly provisioned is an oversight by the system manufacturers. Expecting users (particularly outside the enterprise environment) to discover the necessary security precautions (without any notable cues) is a problem.
Education may be a short-term solution, but it's no substitute for repairing the user experience, e.g., by disabling unused AMT features (and preventing them from being reenabled without authenticated access to a pre-boot or other system management environment). Save AMT security for the subset of system owners that need to take advantage of the feature.
What about if you're sleeping?
That said, it's a silly argument. If you don't secure your devices then you're gonna have a bad time. Just a fact of life, it's always been that way. Give a hacker physical access to a box and enough time and they are getting in. I do it routinely if I forgot a root password, boot knoppix, fix the root password on the boot disk, reboot.
It is not unreasonable for someone to expect setting up a BIOS password to mean all management functions should require it. Unfortunately, reality is such that, depending on platform, the answer will be, "oh, you meant those management functions, too. Yeah, no, you also have to stick a password there."
So yes, this falls under "documented behavior." It also falls under "unfriendly, annoying complexity that shouldn't be foisted on non-professional users", and possibly worse.
It all goes back to the ME being forced down everyone's throats. It means continued insecurity everywhere; the same deal with AMD means no choice. I'd love to see a foreign competitor - at least then one would be able to choose who sniffs their panties.
 Most recently, with a home storage system. I built it some time back, and later, after moving stuff around, switched the network port I had it plugged into. I monitor my own network, including IP sweeps, which is the only reason I noticed the SuperMicro motherboard had grabbed a second IP address and was running a ME webapp with a default password.
Now, on one hand, I should have read the manual. Building a machine from components requires a certain degree of paying attention, and I didn't. On the other hand, this is an absurd default. In 2018, no system should ship out of the box with a giant Root Me Please! welcome mat.
EDIT: on second reading, I realize the real problem of the thing is to allow for remote control, provided one can access machine ports.
Having a BIOS password was already one of the mitigation for the Intel AMT-related security issue discovered not too long ago.
The right way for the manufacturers to set this up is
* Everything locked down by default
* One master password for complete control
* Using the master password you can delegate control for users, technicians, applications etc.
* If you forget the master password you can reset it using a switch or something you cannot access without opening up the machine which you cannot do while it is physically locked
But in reality there's all these management 'solutions' that have to be on by default and then there are the anti theft solutions, the secure boot restrictions, the 'trusted' platform, the list goes on. And then for the master password there's of course a backdoor password the helpdesk people can get if you can convince them the laptop is yours and you just forgot the password.
Is't this the case here? You have master password and you can change it provided physical access.
You can't add a backdoor with a password and then claim that's the new master password.
But it does feel a bit rich to describe physical access and a default password as the stuff of a security professional's "worst nightmares". "Physical access means control" has been a standard assumption for years, and this really just constitutes a failure to secure all login channels. It's a particularly silly description when Spectre and Meltdown are busy being actual "worst nightmares" threats.
As far as nightmares are concerned, I suppose it depends on the anxiety's of the particular security professional. ;)
Where and how do I do that?
Used to work on Optiplex machines, I don't have any other Dells to try it on.
If it can be hacked it will be hacked.