> To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops.
Stop it, that's not fair, that news got hidden way too quickly two days ago. And then implying "dupe" is a common way to get rid of real news (that matter) but one doesn't like
In reality though I want a working BIOS password that stops everyone who isn't an experienced, knowledgable attacker. Setting up a BIOS password should make it really hard to access a machine. Obviously I don't have any expectation of it being impossible, but it should at least stop Jane from Accounting being able to access a laptop by Googling for a default backdoor. This would let her. That is a problem that shouldn't be downplayed.
Same for Android since 7.0/8.0 (not sure which). Trying to factory reset the phone somehow wouldn't remove the Google account and would leave the screen lock enabled.
This is confusing. Does the exploit really entirely hinge on administrators not changing the default password? How the hell is that an exploit? Is F-Secure just trying to ride the hate-Intel Meltdown bandwagon?
Becuase this is a very real practical exploit. Having such grossly insecire defaults is a security issue. Intel AMT should be disabled by default and enabled from the BIOS after the password is provided.
The issue here is there's no way to physically provide a password to user without also handing it to the adversary.
AMT could be protected, or AMT disabled and BIOS protected, by unique password printed onto laptop, neither of which will prevent adversary with physical access.
All computer should be sold with a small card listing all the unique default passwords and private keys. Maybe a bunch of QR codes may help the type in.
Sounds like F-Secure is just trying to say "Yeah we do security research too, remember we exist."
Basically they are saying that their "exploit" requires physical access to a device and an incompetent administrator. What's next? Oh no, Windows doesn't require administrators to force their users to not use the password "password". Someone issue a press release slamming Microsoft, horrible security!
Point being, this doesn't belong on the front page of HN. Of course admins should know about this, but whoever submitted this is FUD piggy-backing on a legitimate exploit.
What's mid boggling is that Intel will very likely get away scot free from all of this. If anything, it will provide a nice boost for newer Intel CPUs.
This is at best a known weak configuration not a vulnerability.
The problem is that the PW isn’t saved anywhere where Intel can touch it, some manufacturers pre-set the password some don’t. However the instructions are login with default and change the god damn password it even ״forces” you to do that on provisioning.
Routers don't all come with the same WiFi password, why should this be any different? Most people probably won't even know about this feature, therefore will never "provision" it.
Quite a few of them do, in fact the likilihood of your router having a fixed default password increases with it being less of a consumer oriented product, most SOHO and above routers as well as other equipment does comes with a known default password.
This feature isn’t turned on by default, someone had to go into the BIOS and enabled it.
This feature is also not available on non enterprise consumer laptops.
28 comments
[ 2.7 ms ] story [ 65.5 ms ] threadClassic
Apple doesn't sell any products with vPro as far as I know, and certainly doesn't offer any way of configuring it pre-boot.
If UEFI portion is missing, if the drivers and the OS AMT software is missing it won’t work.
Yes in theory you still might be able to use the CPU portion of it via the Intel ME MSRs but those don’t do much on thier on.
In reality though I want a working BIOS password that stops everyone who isn't an experienced, knowledgable attacker. Setting up a BIOS password should make it really hard to access a machine. Obviously I don't have any expectation of it being impossible, but it should at least stop Jane from Accounting being able to access a laptop by Googling for a default backdoor. This would let her. That is a problem that shouldn't be downplayed.
AMT could be protected, or AMT disabled and BIOS protected, by unique password printed onto laptop, neither of which will prevent adversary with physical access.
Basically they are saying that their "exploit" requires physical access to a device and an incompetent administrator. What's next? Oh no, Windows doesn't require administrators to force their users to not use the password "password". Someone issue a press release slamming Microsoft, horrible security!
Point being, this doesn't belong on the front page of HN. Of course admins should know about this, but whoever submitted this is FUD piggy-backing on a legitimate exploit.
It's marvelous.
https://www.intel.com/content/dam/support/us/en/documents/mo...
This is at best a known weak configuration not a vulnerability.
The problem is that the PW isn’t saved anywhere where Intel can touch it, some manufacturers pre-set the password some don’t. However the instructions are login with default and change the god damn password it even ״forces” you to do that on provisioning.
This feature isn’t turned on by default, someone had to go into the BIOS and enabled it. This feature is also not available on non enterprise consumer laptops.