back to article Intel AMT security locks bypassed on corp laptops – fresh research

Security shortcomings in Intel's Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers. Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 …

Silver badge

Annnnnnd....

Time to dump Intel stock for AMD?

(I do not support any particular trades. TechnicalBen takes no responsibility for bad trading or gives no advice. Terms and conditions apply. I commented only as this is starting to look BAAAAAD. :P )

22
3
Silver badge

Re: Annnnnnd....

Arguably, it's AMD's fault for not being strong enough competition for some years now. Intel have got sloppy and lazy, to judge by the slew of failings we've seen in the past couple of years.

7
22

This post has been deleted by its author

Silver badge

Re: Annnnnnd....

AMD has the same crap, only different implementation, I dont see why it should be better, considering they have less money...

2
9
Silver badge

Re: Annnnnnd....

Never worked for a bloated megacorp scattered across 100 timezones where it's practically impossible to get anything done or propose a change if something looks wrong?

4
1

Re: Annnnnnd....

“Arguably, it's AMD's fault for not being strong enough competition for some years now.”

As far as I can tell, the only way they are weaker is in the marketing department. Intel generally have naming conventions that people think they understand (e.g. 7th gen i3 versus 8th gen i5).

4
0

Re: Annnnnnd....

And exactly why is this anything to do with Intel? It may be an Intel product but the issue is a human problem. I would hope that any IT team working with AMT would have changed the default password. If they have not then they are morons.

This is just the same as leaving the default password on a router when every router has the same one.

At a corporate level they cannot randomise the initial password easily due the overhead to then commission it.

5
2
Anonymous Coward

Re: Annnnnnd....

The issue is routers are used and a fundamental part of a corporate infrastructure.

AMT is used by a few, but everyone is forced to fix the cock up.

3
1
FAIL

Staggering

Another ridiculously embarrassing screw up by Intel.

Isn't it obvious to them that there should definitely be some security on such a privileged tool as the Management Engine?

I'm starting to wonder if there is anything they bothered to design correctly?

20
4
Anonymous Coward

Re: Staggering

Intel and software. No further comment needed.

Just ducking as low as possible before the DPDK fanatics gang starts with the death chants (it is as sh*t as other Intel software if not even more so).

12
3
Anonymous Coward

Re: Staggering

Worked on an Intel led software project between multiple 3rd party companies and it was a total shit show. The most surprising thing to me at the time was that the reference hardware we were supposed to test on was flakier even than the software and would crap the bed regularly. Now not surprising at all. This was back in the high flying Meego days. There were many good reasons why you didn't see many x86 phones/tablets running Meego back then.

15
1
Anonymous Coward

Re: Staggering

This is why you try to stay away from interacting with the HW as much as possible, at least at low level.. let someone else deal with that!

I have also been bitthen by HW not working properly....

1
2
Silver badge

Re: Staggering

But there *IS* some security! It's got a password! A PASSWORD!

5
1

Re: Staggering

It's really quite hilarious how Intel managed to take a very solid and portable base that Nokia had (Debian + Qt) and make all the perfectly wrong decisions so as to add up to a horribly shaky and unportable end product. But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . . .

11
1

Re: Staggering

Intel NIC firmware is horrid as hell. I had a bunch of NEW X520 and X740 cards that I sold as used on eBay at a loss just because I got tired of dealing with the bugs. It was so bad that they were useless. Went to Chelsio and never looked back. It was so bad that Intel pulled the firmware release. In their infinite wisdom, the firmware flasher made a backup, but there was no way to apply it as you couldn’t downgrade the card once it was flashed! The stupid card would end up removing its own MAC out of its own internal filter and so would just drop all packets.

3
2
Anonymous Coward

Re: Staggering

>This is why you try to stay away from interacting with the HW as much as possible

Exactly what we did but ultimately rubber had to meet the road and like a whole bunch of other stuff back then Intel upper management took one look and was like nope cut the cord immediately as we suck at mobile. For me was just happy to have some work even if contracting during depths of great recession and it got me in the door of another shop just as the shit house burned. Considering back in the semiconductor industry also taught me to stay the hell away from anything Intel.

>But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . .

Larrabee

1
0

Re: Staggering

You let someone else access your "personal" computer?

That is exactly what this exploit requires, and if you leave your machine unattended, they can just pick it up and walk off with it.

;-D

Good luck.

2
3

Re: Staggering

Passwords suck as security because anyone can use them. You don't even need to go to a hardware store to make a copy.

A password that is never set from the default is known to thousands.

A password on a corporate machine that is one of many, IF it is set, has the same password as all the other machines.

A physical lock on a computer case, a BIOS that can't be accessed without opening the case, either of these better security than a BIOS password, bacause they require an instrument and more time.

If you want a computer to be secure, LOCK IT IN A drawer when you are not using it.

3
3
Thumb Up

@ conscience - Re: Staggering

1. AMT, as implemented, was always a bad idea. As with UEFI, it has more to do with reclaiming control over a user's PC than any security measure—security is always the 'justifiable' excuse to take control away from the user. What Intel, Microsoft et al primarily want is to make the PC more proprietary and they have been doing so for years.

2. "I'm starting to wonder if there is anything they bothered to design correctly?"

You're correct. Look at Intel's record, it goes back decades. Now, we've not only Intel's AMT stuff-up but also the other big news that of the monumental problem of the 'Meltdown' and 'Spectre' chip bugs.

3. However, long before these fuck-ups there was the Pentium bug—remember that? What's fundamentally important to remember about the design flaw in the Pentium chip is that the very nature of the bug itself was the result of substandard and irresponsible engineering design—one that any first year engineering student could easily have pointed out.

The Pentium bug was in the ANSI/IEEE floating point standard subsection (the once 8087 IEEE math chip). Essentially, in order to speed up the chip Intel did the unthinkable, instead of implementing proper algorithms to do floating point mathematics as per the 8087, Intel took a shortcut and in part used a lookup table which was inherently prone to errors—and naturally calculation errors manifested themselves.

Whenever I think of this error I wince. It says much about Intel's deign philosophy which essentially put profits over data integrity. If Intel were prepared to commit such a cardinal design sin in the name of profit then we should be prepared to expect anything from the company.

2
0

Re: @ conscience - Staggering

@ RobHib

Good post. I knew about the maths bug, but I didn't know about the lookup table. Sounds like a typical Intel screw up/shortcut, not that anything they do surprises me. I completely agree with you about Intel's 'design philosophy' being all about the money. They'll do absolutely anything to boost performance by any means in order to compete/appear to beat their rivals, regardless of any consequences no matter how bad they might be for anyone. They originally started off trying to make RAM but that didn't work properly either. It says it all really...

The only things Intel are any good at are PR, hiding behind NDAs to cover up their many mistakes, and using their mountains of cash to portray themselves and their substandard products as the premium choice while crushing the competition.

0
0
Silver badge

Why?

What is the purpose of the 'Management Engine'? Does it serve a real need? If Chipzilla can come up with a good reason then fine, otherwise it is a pointless piece of stupidity that should never have seen the light of day.

16
2
Black Helicopters

Re: Why?

Yes, it allows convenient backdoors and those pesky hackers keep screwing everything up.

2
0
Silver badge

Why blame Intel?

Some people don't bother to change default passwords, so someone physically present who types in the correct password can access things. This is not in any way Intel's fault, and it's ridiculous to describe "user doesn't bother to change password" as "weak security by manufacturer".

18
20
Silver badge
Facepalm

Re: Why blame Intel?

Some people don't bother to change default passwords,

If the manufacturer puts in a feature requiring a strong password, then a request to set a strong password should be issued on setting up the system. If not set or left default the option should be disabled.

19
4

Re: Why blame Intel?

Because this one password, which a corporate user likely does not know exists, and which probably doesn't have expiration or complexity requirements, potentially gives unauditable access not only to the contents of the machine but to other systems the user may use.

15
3
Silver badge

Sorry, but i disagree. We're talking corporate user, meaning someone who has the backing of an IT department which is supposed to have done its job learning what kind of kit it purchased.

This has nothing to do with Joe User who doesn't have a snowball's chance in Hell of understanding what is going on. This is corporate stuff, and corporations are not supposed to be stupid enough to leave admin passwords unchanged.

7
11

Not really

I bought a “corporate” level laptop from Lenovo because I needed something durable and they offer a great warranty. My laptop thus came with AMT even though I’m my own IT department. So no, not every user that has AMT has a corporate IT department to set it up.

To add insult to injury, it comes loaded with Intel software that tells me that AMT is enabled and secure mode is disabled, but no option in said software to toggle either one!

16
2
Silver badge

Re: Why blame Intel?

"If the manufacturer puts in a feature requiring a strong password, then a request to set a strong password should be issued on setting up the system. If not set or left default the option should be disabled."

When setting the AMT password, it insists on a quite strong password including mixed case, numbers, symbols, the usual crap. But only if you actually go into the settings to do that.

3
0
Silver badge

Re: Why blame Intel?

Every time my ISP sends me a new router they also give me a semi-random sid and wpa key, if those muppets can do it why can't Intel and the laptop manufacturer for the AMT password?

Management Engine was a stupidly complex solution for a fairly minor problem and a classic case of cognitive bias. We have a problem - we're good at making new CPU's - let's use one!

16
2

I'm guessing Intel will say "not a big issue as it requires access to the laptop."

Clearly they've never been to Starbucks and seen someone leave their PC unattended while they pop for a pee...

14
0

This post has been deleted by its author

Anonymous Coward

BIOS passwords

The BIOS passwords on every Dell I've messed with that had one set was easily bypassed using a password generator:

http://www.tech-faq.com/reset-dell-bios-password.html

5
0
Anonymous Coward

Intel need to stop shoving cr*p into their designs

Maybe if every cpu manufacturer kept it simple and secure, we could someday have Machine Independent Operating Systems which sit atop wrapper layers providing services like AMT if that's corps want, for their machines?

2
1
Silver badge
Facepalm

Re: Intel need to stop shoving cr*p into their designs

"Maybe if every cpu manufacturer kept it simple and secure"

The problem is chiefly complexity and the propensity to add even more features to differentiate the product from their competitors. And the fact that there is little to no sanctions for shipping such defective product.

Does Intel actually have a department dedicated to finding bugs (or erratum as they refer to bugs in their internal documents) in their processors, instead of waiting on reports from some third party security researcher.

Meltdown and Spectre and similar type bugs being a results of the attempt to squeeze some more speed-of-execution out of the basic X86 design. Maybe Intel should move to a simple RISC CPU that communicates with others through high speed bidirectional asynchronous serial lines and run the OS on top of this as a virtual machine. Lets call the architecture the Transputer. Each manufactured could create a unique configuration in the chipset, that way there wouldn't be the danger of a virus infecting its way through a monoculture.

3
3
Bronze badge

Re: Intel need to stop shoving cr*p into their designs

Does Intel actually have a department dedicated to finding bugs<P>

Possibly. The problem would appear to be that they have a great many departments dedicated to implementing bugs.

0
1
Silver badge
Coat

Physically Separate, Dedicated, Management Interface

Job done.

3
0
Silver badge

Not enough face palm

Biggest face palm ever.

0
0
Anonymous Coward

Can someone tell me how come this only affect laptops?

4
0

Intel isn't the security issue here, people are.

"as this is most likely unchanged on most corporate laptops"

This issue is the same problem as leaving the front door of a building unlocked and unattended - lack of physical security. It isn't the fault of the door or the lock manufacturer, but a failure of corporate management to practice due diligence.

If someone cannot get into a building who should not be there, someone cannot gain physical access to a computer who should not have it, and there is no security system that prevents "inside jobs".

It has been proven time and time again that shared passwords can not provide high level security, and that data stored on a "personal" computer is insecure, even if it is encrypted in the machine's storage.

In practice, it would be virtually impossible to have a separate password for every computer in a corporation. Hundreds or thousands of machines are maintained by a staff of dozens with 25% annual turnover. Even if a corporation had its IT department set a BIOS password, it is ridiculous to assume that password would not leak, and there is no simle way to change thousands of passwords.

In the case of the Intel/BIOS issue, the fundamantal architecture of the modern computer is a kludge of insecure components, integrated into an unreliable appliance that is administered by unreliable people with no system of standards that they are held accountable for following.

The closest thing to a secure PC is a one that assumes it has been hacked, has NO firmware configuration and has multilevel secure boot that checks BIOS, kernel, OS and apps every time that the machine is started up. If that machine is connected to a network the network must be equally secured.

The poor quality software available today that requires a constant stream of updates and patches,is defective from date of inetallation through retirement. Of course it has security loopholes.

3
1

Why bother? The bitlocker code is probably somewhere on a post-it on the machine itself.

Anyway, I manage all IT for a small company (about 35 computers). I don't have anthing setup to update AMT firmware remotely. We're not even using it.

So, because I'm tired of all these intel AMT security issues I have decided to use me_cleaner on every bios update from now on. This is of course very handy for systems with an older AMT, that's full of security holes, and that's not getting any updates.

https://github.com/corna/me_cleaner

0
0
Bronze badge

Isn't me_cleaner a case of stable and bolted horse ?

0
1

Using me_cleaner now may sound like it's too late for this issue. But it will be very handy when the next security issue comes around, next month or so.

0
0

When will Intel provide patches to allow us to disable Intel AMT, that Minix3 based second CPU is a big open "designed" security hole.

Either provide CPUs without Meltdown and AMT, provide a patch to disable AMT or give us a refund, so that I can buy from a competitor.

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018