Hacker News new | comments | show | ask | jobs | submitlogin
A Security Issue in Intel’s Active Management Technology (business.f-secure.com)
143 points by buovjaga a year ago | hide | past | web | 33 comments | favorite

This doesn't seem like an exploit to me, it seems like saying that your WIFI AP has a security flaw because you didn't change the default password from admin/admin.

And it is worse than that, you have to have physical access to the machine. If you give a hacker physical access to a machine it's pretty much toast.

Am I missing something or is this just clickbait?

It's about enabling a backdoor of sorts in your laptop behind your back.

Let's say you're at a hotel with your laptop. It has full device encryption enabled and the BIOS is protected with a password and it has all the shebangs to protect your laptop -- so you should be safe, right?

Someone distracts you for 30 seconds while an accomplice backdoors your laptop with this vulnerability.

Five minutes later while you're happily browsing Hacker News with your laptop using the hotel WIFI, the attacker has full and unrestricted access to your laptop via the very same hotel WIFI.

The number zero rule in security is that if a malicious adversary has physical access to your device, all bets are off.

The number negative-one rule in security is defense-in-depth. Even when you have a layer where a breach is considered catastrophic (physical access, behind the firewall...), you still add whatever measures you can to mitigate the potential impact.

So, no use of Apple/Chrome asking for system passwords to see other saved passwords?

That's to prevent your average Joe from swiping your password.

What adtac said. If I let someone have physical access to any computer I own I fully expect to be compromised.

And here the issue is, as I understand it, I would have had to have left that AMT part in place with a default password. I get that it is geeky and maybe there should be a process where when you buy a new laptop they set the password to some unique thing and give you a sticky note with the password on it. I get that a lot of people won't know to change the management password, but that's an educational issue, just like people had to be taught to not use "1234" or "admin" as their login password.

Still seems like an over hyped issue but I guess that is part of the educational process.

I don't feel like this rises to the level of Meltdown or Spectre.

I understand your sentiment, but I would argue that this is a flaw. Vendors need to account for users' ability to notice and assess these sorts of details. While it's true that most/all defenses eventually fail to a determined attacker with unrestricted physical access, most users wouldn't suspect it'd be so easy for someone to orchestrate the attack in their presence without attracting notice.

Leaving AMT enabled with a default local password when it hasn't been explicitly provisioned is an oversight by the system manufacturers. Expecting users (particularly outside the enterprise environment) to discover the necessary security precautions (without any notable cues) is a problem.

Education may be a short-term solution, but it's no substitute for repairing the user experience, e.g., by disabling unused AMT features (and preventing them from being reenabled without authenticated access to a pre-boot or other system management environment). Save AMT security for the subset of system owners that need to take advantage of the feature.

As I said elsewhere, I agree, the web server shouldn't be enabled with a default password.

>If I let someone have physical access to any computer I own I fully expect to be compromised.

What about if you're sleeping?

I've got 4 dogs and live in a rural area. You'd have to be bat shit crazy to want to mess with my stuff.

That said, it's a silly argument. If you don't secure your devices then you're gonna have a bad time. Just a fact of life, it's always been that way. Give a hacker physical access to a box and enough time and they are getting in. I do it routinely if I forgot a root password, boot knoppix, fix the root password on the boot disk, reboot.

Why even have full disk encryption then?

If I turn around for 30 seconds and my laptop has rebooted, I might wonder why.

I think what you're missing is that if you don't use AMT, all of the other boot security built into the system can be bypassed. Presumably this is important because if you don't want to use AMT you probably would assume that it's secure by default, but it turns out it's not.

I see it as somewhere in-between. It is one more thing on a long list of things that is easy to forget when setting up a new machine. I do stuff related to this for a living and miss things sometimes[1].

It is not unreasonable for someone to expect setting up a BIOS password to mean all management functions should require it. Unfortunately, reality is such that, depending on platform, the answer will be, "oh, you meant those management functions, too. Yeah, no, you also have to stick a password there."

So yes, this falls under "documented behavior." It also falls under "unfriendly, annoying complexity that shouldn't be foisted on non-professional users", and possibly worse.

It all goes back to the ME being forced down everyone's throats. It means continued insecurity everywhere; the same deal with AMD means no choice. I'd love to see a foreign competitor - at least then one would be able to choose who sniffs their panties.

[1] Most recently, with a home storage system. I built it some time back, and later, after moving stuff around, switched the network port I had it plugged into. I monitor my own network, including IP sweeps, which is the only reason I noticed the SuperMicro motherboard had grabbed a second IP address and was running a ME webapp with a default password.

Now, on one hand, I should have read the manual. Building a machine from components requires a certain degree of paying attention, and I didn't. On the other hand, this is an absurd default. In 2018, no system should ship out of the box with a giant Root Me Please! welcome mat.

I agree with everything you said. The defaults are just wrong, it should not have any web server at all with a default password, that's an easy software fix.

So, if I understand correctly, it allows to bypass BIOS password? Are there people relying on those? I may understand it's a bit more secure on a laptop, but on a desktop you just have to remove BIOS battery to reset the password, anyway. Better encrypt disks and rely on OS authentication (plus, it's easier to do for non experts).

EDIT: on second reading, I realize the real problem of the thing is to allow for remote control, provided one can access machine ports.

> Are there people relying on those?

Having a BIOS password was already one of the mitigation for the Intel AMT-related security issue discovered not too long ago.

Does a modern laptop still depend on CMOS battery for anything other than an RTC? I thought all BIOS variables today are stored on SPI flash.

If you have access to the battery then you have access to the flash chip as well. Using a right clamp (sop8 usually) you can reflash the thing in a matter of seconds (I did).

The security issue is rebooting the machine and logging in with the default admin password? Thats really not a 'vulnerability'

Even if you have a BIOS password and everything locked down and the attacker can actually lock you out or quickly give themselves a backdoor. The problem is that there are a million ways in, they're open by default and it is really hard to keep track of everything you have to lock down, and the manufacturers keep adding new ones while you're not looking.

The right way for the manufacturers to set this up is

* Everything locked down by default

* One master password for complete control

* Using the master password you can delegate control for users, technicians, applications etc.

* If you forget the master password you can reset it using a switch or something you cannot access without opening up the machine which you cannot do while it is physically locked

But in reality there's all these management 'solutions' that have to be on by default and then there are the anti theft solutions, the secure boot restrictions, the 'trusted' platform, the list goes on. And then for the master password there's of course a backdoor password the helpdesk people can get if you can convince them the laptop is yours and you just forgot the password.

>The right way for the manufacturers to set this up is

Is't this the case here? You have master password and you can change it provided physical access.

It's more like an override, provided by a feature many people don't use. If they were using it they'd probably change the password from 'admin'.

You can't add a backdoor with a password and then claim that's the new master password.

I suppose "update AMT password defaults" is good, non-obvious advice to spread.

But it does feel a bit rich to describe physical access and a default password as the stuff of a security professional's "worst nightmares". "Physical access means control" has been a standard assumption for years, and this really just constitutes a failure to secure all login channels. It's a particularly silly description when Spectre and Meltdown are busy being actual "worst nightmares" threats.

It is, however, an incredibly predictable failure.

As far as nightmares are concerned, I suppose it depends on the anxiety's of the particular security professional. ;)

> By selecting Intel’s Management Engine BIOS Extension (MEBx)

Where and how do I do that?

On a Dell, try CTRL-P when the Dell logo is showing.

Used to work on Optiplex machines, I don't have any other Dells to try it on.

On almost any machine with MEBx you can just mash the boot options key right after power on and while on a properly locked down machine you won't be able to change the boot order you will be able to select MEBx.

Note there are documented ways to reset that password even if it's not "admin", e.g. http://www.dell.com/support/article/us/en/04/sln49505/how-to...

I want to be able to buy devices and CPUs without these so called management features which about 100% of them turns out to have security holes.

If it can be hacked it will be hacked.

Am I the only one with IAM fatigue at this point, feels like we get a headline like this at a rate of one a week now

No shit, Sherlock. You can log in with the default password.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact