28 comments

[ 2.7 ms ] story [ 65.5 ms ] thread
> To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops.

Classic

https://news.ycombinator.com/item?id=16131932

    A Security Issue in Intel’s Active Management Technology (f-secure.com)
    139 points by buovjaga 2 days ago | 33 comments
Stop it, that's not fair, that news got hidden way too quickly two days ago. And then implying "dupe" is a common way to get rid of real news (that matter) but one doesn't like
Does this affect Macs?
Doesn't sound like it, as far as I know there's no mgmt engine on Apple hardware
I thought Intel ME is embedded into the CPU die itself. Unless Apple actively disables it like some niche manufacturers, it is present and enabled.
ME and AMT aren't the same thing. AMT uses the ME, but the presence of ME does not imply the presence of AMT.

Apple doesn't sell any products with vPro as far as I know, and certainly doesn't offer any way of configuring it pre-boot.

Intel AMT has to be enabled not disabled, this is what people not seem to get.

If UEFI portion is missing, if the drivers and the OS AMT software is missing it won’t work.

Yes in theory you still might be able to use the CPU portion of it via the Intel ME MSRs but those don’t do much on thier on.

While this is a problem, all bets are off in terms of security when a bad actor has access to your hardware.
Usually if someone has physical access you've already lost.
In infosec theory, sure.

In reality though I want a working BIOS password that stops everyone who isn't an experienced, knowledgable attacker. Setting up a BIOS password should make it really hard to access a machine. Obviously I don't have any expectation of it being impossible, but it should at least stop Jane from Accounting being able to access a laptop by Googling for a default backdoor. This would let her. That is a problem that shouldn't be downplayed.

Setting the bios password should set the AMT password as well, seems only logical
That’s an outdated notion. You can’t do very much with a stolen iOS device.
You can't do very much without Apple's permission with a non-stolen iOS device either.
Same for Android since 7.0/8.0 (not sure which). Trying to factory reset the phone somehow wouldn't remove the Google account and would leave the screen lock enabled.
This is confusing. Does the exploit really entirely hinge on administrators not changing the default password? How the hell is that an exploit? Is F-Secure just trying to ride the hate-Intel Meltdown bandwagon?
Becuase this is a very real practical exploit. Having such grossly insecire defaults is a security issue. Intel AMT should be disabled by default and enabled from the BIOS after the password is provided.
Said every router ever? The feature shouldn't exist; it's not securable, short of a second device.
The issue here is there's no way to physically provide a password to user without also handing it to the adversary.

AMT could be protected, or AMT disabled and BIOS protected, by unique password printed onto laptop, neither of which will prevent adversary with physical access.

All computer should be sold with a small card listing all the unique default passwords and private keys. Maybe a bunch of QR codes may help the type in.
Sounds like F-Secure is just trying to say "Yeah we do security research too, remember we exist."

Basically they are saying that their "exploit" requires physical access to a device and an incompetent administrator. What's next? Oh no, Windows doesn't require administrators to force their users to not use the password "password". Someone issue a press release slamming Microsoft, horrible security!

Point being, this doesn't belong on the front page of HN. Of course admins should know about this, but whoever submitted this is FUD piggy-backing on a legitimate exploit.

If it's something they regularly fail to do, I think it's a fair point.
What's mid boggling is that Intel will very likely get away scot free from all of this. If anything, it will provide a nice boost for newer Intel CPUs.

It's marvelous.

Oh not this again the default password ‘admin’ is literarily from the MBEx user guide:

https://www.intel.com/content/dam/support/us/en/documents/mo...

This is at best a known weak configuration not a vulnerability.

The problem is that the PW isn’t saved anywhere where Intel can touch it, some manufacturers pre-set the password some don’t. However the instructions are login with default and change the god damn password it even ״forces” you to do that on provisioning.

(comment deleted)
Routers don't all come with the same WiFi password, why should this be any different? Most people probably won't even know about this feature, therefore will never "provision" it.
Quite a few of them do, in fact the likilihood of your router having a fixed default password increases with it being less of a consumer oriented product, most SOHO and above routers as well as other equipment does comes with a known default password.

This feature isn’t turned on by default, someone had to go into the BIOS and enabled it. This feature is also not available on non enterprise consumer laptops.