back to article Inside Intel's CPU-level multi-factor auth (and why we've got deja vu)

Intel has baked multi-factor authentication defenses into its sixth-generation Core processors. On Tuesday, the California chip giant sprung this news on the world, revealing what it seemed to be saying was a really big secret: all this time, the sixth-gen Core family, launched in September, has had brand-spanking new multi- …

  1. Steve Davies 3 Silver badge
    Black Helicopters

    Deep joy!

    and even juicier target for the malware coders and government spooks (if they don't already have a back door)

    This won't end well. (see Icon)

    1. Duncan Macdonald
      Black Helicopters

      Re: Deep joy!

      Back door? I am certain that the NSA is one of the prime drivers behind the Intel Management Engine and that they have the required passwords for remote access to any networked system with the Intel ME in it.

      Short of using a good EXTERNAL firewall, any modern PC is completely vulnerable to the NSA irrespective of any security in the operating system. (And the firewall had better not be one that uses an Intel CPU or one that the NSA has a back door to.)

      1. Paul Crawford Silver badge
        Trollface

        Re: Deep joy!

        I hear that Juniper Networks supply such firewalls for secure application. Oh wait...

    2. Dan 55 Silver badge

      Re: Deep joy!

      Baseband for PCs. What could possibly go wrong?

  2. Anonymous Coward
    Big Brother

    Designed by whom?

    We just hope nothing compromises the ME at the heart of Intel Authenticate.

    ..nothing... and no-one...

    Does "vPro"/"AMT" still include a full network stack?

    Hard to imagine embedding all those lurvely biometrics into the deluge of exfiltrated data and keys would be of any interest to anyone.

    1. Voland's right hand Silver badge

      Re: Designed by whom?

      Excellent use of bold. You should have used italics and caps too.

      End of the day, it comes from the same place as their random generator.

      1. Anonymous Coward
        Anonymous Coward

        Re: Designed by whom?

        Perhaps this exciting new technology will give them something to cross reference against that database of the fingerprints and identities of everyone who's ever passed through one of their airports.

  3. Anonymous Coward
    Anonymous Coward

    Hmmm...

    So they've just put TPM into the CPU's silicon?

  4. Mage Silver badge
    Devil

    Oh dear.

    So far I see no decent alternative to a separate password for each resource of style r2&Ha+bnjg^23 in a notebook kept in a safe place, not in the laptop bag.

    You can't change biometrics if they are stolen.

    A PIN isn't secure (I've opened a door lock by looking at which four buttons are more slightly worn).

    Many personal details are easily found.

    This is too complicated and inflexible.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh dear.

      Quote

      Many personal details are easily found.

      Which is why I don't use any social media sites.

      Have you googled/binged yourself recently?

      1. frank ly

        @AC Re: Oh dear.

        You don't have to use your real name, as long as it's a believable one.

        1. Michael Wojcik Silver badge

          Re: @AC Oh dear.

          You don't have to use your real name, as long as it's a believable one.

          You might as well use your real name, if it's a common one.

      2. Alistair
        Windows

        Re: Oh dear.

        "Have you googled/binged yourself recently?"

        I binged my head off a server in a rack yesterday --

        But the MS offering? dear god no, I don't go there. ever.

        1. LaeMing
          Go

          Re: Oh dear.

          @Alistair - sounds like your server rack gave you the equivalent experience.

  5. An0n C0w4rd

    Quote: "It's supposed to help employees who are bad at remembering complex passwords"

    It will do, until they lose their phone, or the system breaks and goes into some failsafe mode that needs the password, and they then need to remember their long and complex password, which they haven't used at all so they have no hope of remembering it

    Wait until the system breaks for everyone at the same time and then watch the helpdesk melt.

  6. oldcoder

    Just another way to duck responsibility...

    Now Microsoft will get to blame Intel for its shortcomings...

    BTW, It won't work at all for system to system authentication.

  7. John Geek
    Mushroom

    I wanna know if this will be any easier to use from non-windows systems than TPM was. We stupidly tried to use TPM to authenticate PC based test equipment at a API level, omg, what a horrendous headache THAT was.

    icon for the headache induced by trying to use TPM as a security token substitute.

  8. Anonymous Coward
    Anonymous Coward

    Its Still Software...

    It's just Intel's software, not MS's, or Linus's.

    What is it about Intel that makes them so much better than anyone else at writing software? Ah yes; they're not.

    It's still security through obscurity.

    Worse, it sounds far harder to patch than anything else. Can you imagine how embarrassing it would be if someone found a bug and Intel had to tell the world that all machines were wide open until they'd had a BIOS upgrade? Even worse, it's network connected in a way that is out of the OS's control. Worse still it has access to all of memory, and there's nothing you can do about it.

    Sigh

    1. Anonymous Coward
      Anonymous Coward

      Re: Its Still Software...

      The OS (Windows, Linux etc.) can patch the lower-level OS running in the secure environment. The code is signed/encrypted to (hopefully) prevent bad actors from doing so, but if the key was compromised, or willingly given up, or grudgingly given up (after Intel receives the corporate equivalent of the rubber hose treatment) then All Hell Breaks Loose.

      If the NSA has the encryption key for that secure environment they just need a zero day exploit on the system and they can install their own code that runs below the OS capable of reading any memory it wishes and sending/receiving network packets without the OS knowing. You'd have a permanent bug built into your PC that would survive a reinstall and work even if you boot a read-only OS off a DVD or USB stick.

      Better yet (if you're the NSA) if Intel is cooperating, it could be built in at the factory, so every CPU Intel ships would be a ready to activate NSA bugging device. I might already have built into my new Skylake CPU I bought last month. Neat!

      Of course going that far, Intel would run the risk of a rogue employee leaking this information, or being exposed if the encryption key was leaked/hacked and someone disassembled the code and discovered the secret. That would sure help AMD's market share!

      1. Anonymous Coward
        Terminator

        Re: Its Still Software...

        > ...if Intel is cooperating... ???

        It's been obvious to me for some decades now that these US corporations are so extremely willing to "cooperate" that they're little more than agency fronts. The tail is wagging the dogs. The last one I remember making a serious (no, not you Bill - we watched you fold) effort at politely declining was Bell... and US Gov showed no qualms at all in seizing the opportunity to demonstrate its will to smash up any firm which tried to say "no". ...and that was long ago in the simpler times before 911, GWB, Patriot, etc., etc. Resistance is undoubtedly now totally futile.

        > Of course going that far, Intel would run the risk of a rogue employee...

        What makes you think that any Intel employee is even allowed anywhere near the inner sanctum of the "Intel" security specials division, MD?

        > ...or being exposed if the encryption key was leaked/hacked...

        Didn't slow NSAFT down.

        > ...someone disassembled the code...

        Disassemble code that's been so thoroughly convoluted, obfuscated and encrypted to conceal it from its "owner"? Really? A lifetime's work just to partially reveal yet another broken-by-design TXTesque kludge which CIA "Intel" just bats away as another little "oopsie" (which we fixed years ago anyway - honest). Don't hold your breath.

  9. John Smith 19 Gold badge
    Thumb Down

    "We just hope nothing compromises the ME at the heart of Intel Authenticate."

    Let me see.

    Embedded processor and instruction set that bypasses (and therefore cannot be removed by) all operating systems

    With built in connectivity to the outside world.

    Can you say grand target?

  10. Cuddles

    Do away with passwords?

    "Authentication data could [be] a PIN"

    A PIN is a password. It's just usually a very short one limited to a set of 10 characters, and therefore extremely weak. They are useful in places where convenience is more important, such as locking your phone with one to prevent casual access, but they're certainly not a replacement for passwords because that just means you're replacing one password with a much weaker one.

  11. wsm

    Must be government work

    Nothing else would be so complicated, yet have a single point of failure which is next to impossible fix.

  12. tom dial Silver badge

    I'm still waiting for an Intel to explain why it is more secure than the Common Access Card or Personal Identity Verification cards (each with PIN) the US government uses.

    For some reason this, and the underlying Management Engine, reminded me of the Intel iAPX 432, which was not exactly a commercial success.

  13. Neoc

    Making things easier...

    "...nor allowed to be tampered with unless you've got the right privileges"

    So if you've the right privileges, you can change the policies to allow you to bypass all this authentication hassle.

    If I understand correctly, crackers can infect EVERY SINGLE PC in a company/network if they only bother with cracking the one access that allows them to change the privileges. <sigh>

    Remember - if *you* can access/modify data, *they* can access/modify it as well (eventually).

  14. Anonymous Coward
    Pirate

    What's in a name?

    That which we call a clipper chip by any other name would smell of shit.

  15. Matthew 26
    Thumb Down

    Am I the Only One Who Sees this as a Camel's Nose Under the Tent?

    It is an attempt to implement the IOS walled garden on Wintel.

  16. druck Silver badge
    Thumb Down

    ME vs Trustzone

    Whilst it is a good idea to keep some security related data away from a general purpose Operating System, which may be compromised in a myriad of ways; compare Intel's approach to ARM's. Intel is relying on the entirely unverifiable closed source hidden firmware in the Management Engine, where as ARM's Trustzone runs any secure operating system the user chooses, which can be independently audited and verified.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon