Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Intel Operating Systems Privacy Security Software

Researcher Finds Another Security Flaw In Intel Management Firmware (arstechnica.com) 52

Posted by BeauHD from the when-it-rains-it-pours dept.
An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

Researcher Finds Another Security Flaw In Intel Management Firmware More | Reply

Researcher Finds Another Security Flaw In Intel Management Firmware

Comments Filter:

  • Firmware vs hardware (Score:3)

    by ArtemaOne ( 1300025 ) on Friday January 12, 2018 @05:15PM (#55918183)

    Totally different things. I imagine they find software and firmware vulnerabilities all the time. Hardware is difficult to patch around, and obviously comes with the noteable performance hit.

  • I hope heads will roll...but like always...never happens! I could even imagine an increased sales for the new generation of Intel processor with the meltdown flaw fixed. smh

    • These are programming flaws. Programmers are never held accountable for anything. Every time something like this is reported folks on here make up every excuse why it's not the fault of the programmer.

      Watch.

      • How is this even a flaw?
        It's a case of default state + physical access == ownership.
        This is nothing new at all.

        • Re: (Score:2)

          by ELCouz ( 1338259 )
          Agree this is not a flaw but talking about Intel design in general...we haven't heard any good news about AMT , Intel CPU design and the whole Intel Press Relations in denial.

          • I don't particularly see this as bad engineering even.
            The thing ships disabled by default and with a default local only pwd to enable it OR lock out other access.
            It can be disabled in the BIOS (and then the BIOS pwd activated) as well.
            The config guide even says setting the password is a non optional step in any multi user/multi access environment, or you can get a sku where it's not even available.

            no different than leaving the BIOS unlocked. I could boot a USB device that installs a rogue bootloader on the

  • If you have physical access you can do anything...

  • So, the flaw is the user forgot to set the lock? (Score:5, Insightful)

    by El Cubano ( 631386 ) on Friday January 12, 2018 @05:33PM (#55918277)

    If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password

    So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

    Now, you might argue that it should be more like keyless entry for an automobile: the manufacturer sets a code a and provides you a device (key fob) for entry. However, if Intel did that, they would be accused of making their products difficult to use or crippling them (because people would certainly lose their AMT key fobs and Intel would either be unable to recover them, or would charge a fee for the service) or taking advantage of the user (because they would certainly lose the key fob). Plus, that would make it an absolute nightmare for central IT, the target audience for this particular feature.

    The point is that if you are buying machines that have this capability, then you are buying mid-range to high-end business/professional stuff. AMT is not available on entry-level and most consumer gear. Besides, the people who don't bother setting the MEBx password on their systems (assuming they don't have central management through IT) are probably the same sort of people who buy a wireless AP, turn it on and leave the password set to the default and the admin function accessible over the wireless interface.

    Intel has problems, but this one is definitely way down on the list.

    • Re:So, the flaw is the user forgot to set the lock (Score:5, Interesting)

      by CanHasDIY ( 1672858 ) on Friday January 12, 2018 @05:45PM (#55918341) Homepage Journal

      I've worked in the IT field for 15 years - in academia, for financial institutions, for Fortune 500 companies, and at small, locally owned businesses.

      You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.

      You can show your C-levels the lock and hand them the key, but you can't make them set the latch.

      • Equifax

      • You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.

        You can show your C-levels the lock and hand them the key, but you can't make them set the latch.

        Absolutely! Except there is going to come a point in time where a concerted effort by a small nation-state sponsored groups will be able to completely destroy corporate giants overnight. When they see empires around them begin to fall they will either start caring or become a casualty of cyberwarfare.

    • I think the main point is that people don't realize that they have a "lock" that they need to change the combination on. Perhaps with additional education people can "check their sh*t" and see if it needs to be changed. Then the bad actor can just look under their keyboard for the PW, but at least it won't be "admin" anymore.

    • Re: (Score:2)

      by eddeye ( 85134 )

      So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

      Bad analogy. The difference here is once the attacker turns on remote monitoring, it occurs silently. There's no indication that it's happened and no way t

  • Shouldn't AMD benefit from this long term?

    • Why? Their own equivalent is equally as shit. [slashdot.org]

      • Re: (Score:3)

        by Qzukk ( 229616 )

        Getting to the point where I'm going to have to dig out my old VIA-powered Wal-Mart PC [slashdot.org] to do my banking and such on to ensure security from hackers dropping javascript into my browser.

        At the very least, the slow speed means I'll realize pretty quickly when someone is trying to use it to mine cryptocurrencies.

  • Millions of devices ship with default passwords. It is an issue only if it is not possible to change it, and the need to change is not clearly explained when it was shipped. Ideally it should not be the same password for all devices but something unique to each chip, given to the manufacturer as part of shipped chips.

  • "by only -" (Score:3)

    by sheramil ( 921315 ) on Friday January 12, 2018 @06:30PM (#55918611)

    can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu...

    How do you bypass the BIOS password if you can't get to the BIOS boot menu, because you don't have the BIOS password? I don't think "brief physical access" covers "opening the case and pulling the CMOS battery".

  • Rule 1 of security. Physical access trumps everything else. So you can't claim finding a defect that can be exploited physically is a breach. For that matter, someone could start plugging things into the motherboard. This just a lot of stupid hoopla. Everyone in OpenSource knows the REASON Open Source works is to bypass security through obscurity. Open Source DOES NOT and WILL NEVER (and neither will any security system) foil physical access 100% of the time. As for this - I've never even seen this option i

Slashdot Top Deals

"I never let my schooling get in the way of my education." -- Mark Twain

Close