back to article Intel AMT security locks bypassed on corp laptops – fresh research

Security shortcomings in Intel's Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers. Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 …

  1. TechnicalBen Silver badge

    Annnnnnd....

    Time to dump Intel stock for AMD?

    (I do not support any particular trades. TechnicalBen takes no responsibility for bad trading or gives no advice. Terms and conditions apply. I commented only as this is starting to look BAAAAAD. :P )

  2. Ledswinger Silver badge

    Re: Annnnnnd....

    Arguably, it's AMD's fault for not being strong enough competition for some years now. Intel have got sloppy and lazy, to judge by the slew of failings we've seen in the past couple of years.

  3. This post has been deleted by its author

  4. Aitor 1 Silver badge

    Re: Annnnnnd....

    AMD has the same crap, only different implementation, I dont see why it should be better, considering they have less money...

  5. Dan 55 Silver badge

    Re: Annnnnnd....

    Never worked for a bloated megacorp scattered across 100 timezones where it's practically impossible to get anything done or propose a change if something looks wrong?

  6. SAdams

    Re: Annnnnnd....

    “Arguably, it's AMD's fault for not being strong enough competition for some years now.”

    As far as I can tell, the only way they are weaker is in the marketing department. Intel generally have naming conventions that people think they understand (e.g. 7th gen i3 versus 8th gen i5).

  7. hoola

    Re: Annnnnnd....

    And exactly why is this anything to do with Intel? It may be an Intel product but the issue is a human problem. I would hope that any IT team working with AMT would have changed the default password. If they have not then they are morons.

    This is just the same as leaving the default password on a router when every router has the same one.

    At a corporate level they cannot randomise the initial password easily due the overhead to then commission it.

  8. Anonymous Coward
    Anonymous Coward

    Re: Annnnnnd....

    The issue is routers are used and a fundamental part of a corporate infrastructure.

    AMT is used by a few, but everyone is forced to fix the cock up.

  9. conscience
    FAIL

    Staggering

    Another ridiculously embarrassing screw up by Intel.

    Isn't it obvious to them that there should definitely be some security on such a privileged tool as the Management Engine?

    I'm starting to wonder if there is anything they bothered to design correctly?

  10. Anonymous Coward
    Anonymous Coward

    Re: Staggering

    Intel and software. No further comment needed.

    Just ducking as low as possible before the DPDK fanatics gang starts with the death chants (it is as sh*t as other Intel software if not even more so).

  11. Anonymous Coward
    Anonymous Coward

    Re: Staggering

    Worked on an Intel led software project between multiple 3rd party companies and it was a total shit show. The most surprising thing to me at the time was that the reference hardware we were supposed to test on was flakier even than the software and would crap the bed regularly. Now not surprising at all. This was back in the high flying Meego days. There were many good reasons why you didn't see many x86 phones/tablets running Meego back then.

  12. Anonymous Coward
    Anonymous Coward

    Re: Staggering

    This is why you try to stay away from interacting with the HW as much as possible, at least at low level.. let someone else deal with that!

    I have also been bitthen by HW not working properly....

  13. AdamWill Silver badge

    Re: Staggering

    But there *IS* some security! It's got a password! A PASSWORD!

  14. keithzg

    Re: Staggering

    It's really quite hilarious how Intel managed to take a very solid and portable base that Nokia had (Debian + Qt) and make all the perfectly wrong decisions so as to add up to a horribly shaky and unportable end product. But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . . .

  15. s2bu

    Re: Staggering

    Intel NIC firmware is horrid as hell. I had a bunch of NEW X520 and X740 cards that I sold as used on eBay at a loss just because I got tired of dealing with the bugs. It was so bad that they were useless. Went to Chelsio and never looked back. It was so bad that Intel pulled the firmware release. In their infinite wisdom, the firmware flasher made a backup, but there was no way to apply it as you couldn’t downgrade the card once it was flashed! The stupid card would end up removing its own MAC out of its own internal filter and so would just drop all packets.

  16. Anonymous Coward
    Anonymous Coward

    Re: Staggering

    >This is why you try to stay away from interacting with the HW as much as possible

    Exactly what we did but ultimately rubber had to meet the road and like a whole bunch of other stuff back then Intel upper management took one look and was like nope cut the cord immediately as we suck at mobile. For me was just happy to have some work even if contracting during depths of great recession and it got me in the door of another shop just as the shit house burned. Considering back in the semiconductor industry also taught me to stay the hell away from anything Intel.

    >But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . .

    Larrabee

  17. pssst3

    Re: Staggering

    You let someone else access your "personal" computer?

    That is exactly what this exploit requires, and if you leave your machine unattended, they can just pick it up and walk off with it.

    ;-D

    Good luck.

  18. pssst3

    Re: Staggering

    Passwords suck as security because anyone can use them. You don't even need to go to a hardware store to make a copy.

    A password that is never set from the default is known to thousands.

    A password on a corporate machine that is one of many, IF it is set, has the same password as all the other machines.

    A physical lock on a computer case, a BIOS that can't be accessed without opening the case, either of these better security than a BIOS password, bacause they require an instrument and more time.

    If you want a computer to be secure, LOCK IT IN A drawer when you are not using it.

  19. RobHib
    Thumb Up

    @ conscience - Re: Staggering

    1. AMT, as implemented, was always a bad idea. As with UEFI, it has more to do with reclaiming control over a user's PC than any security measure—security is always the 'justifiable' excuse to take control away from the user. What Intel, Microsoft et al primarily want is to make the PC more proprietary and they have been doing so for years.

    2. "I'm starting to wonder if there is anything they bothered to design correctly?"

    You're correct. Look at Intel's record, it goes back decades. Now, we've not only Intel's AMT stuff-up but also the other big news that of the monumental problem of the 'Meltdown' and 'Spectre' chip bugs.

    3. However, long before these fuck-ups there was the Pentium bug—remember that? What's fundamentally important to remember about the design flaw in the Pentium chip is that the very nature of the bug itself was the result of substandard and irresponsible engineering design—one that any first year engineering student could easily have pointed out.

    The Pentium bug was in the ANSI/IEEE floating point standard subsection (the once 8087 IEEE math chip). Essentially, in order to speed up the chip Intel did the unthinkable, instead of implementing proper algorithms to do floating point mathematics as per the 8087, Intel took a shortcut and in part used a lookup table which was inherently prone to errors—and naturally calculation errors manifested themselves.

    Whenever I think of this error I wince. It says much about Intel's deign philosophy which essentially put profits over data integrity. If Intel were prepared to commit such a cardinal design sin in the name of profit then we should be prepared to expect anything from the company.

  20. conscience

    Re: @ conscience - Staggering

    @ RobHib

    Good post. I knew about the maths bug, but I didn't know about the lookup table. Sounds like a typical Intel screw up/shortcut, not that anything they do surprises me. I completely agree with you about Intel's 'design philosophy' being all about the money. They'll do absolutely anything to boost performance by any means in order to compete/appear to beat their rivals, regardless of any consequences no matter how bad they might be for anyone. They originally started off trying to make RAM but that didn't work properly either. It says it all really...

    The only things Intel are any good at are PR, hiding behind NDAs to cover up their many mistakes, and using their mountains of cash to portray themselves and their substandard products as the premium choice while crushing the competition.

  21. a_yank_lurker Silver badge

    Why?

    What is the purpose of the 'Management Engine'? Does it serve a real need? If Chipzilla can come up with a good reason then fine, otherwise it is a pointless piece of stupidity that should never have seen the light of day.

  22. Anonymous Coward
    Black Helicopters

    Re: Why?

    Yes, it allows convenient backdoors and those pesky hackers keep screwing everything up.

  23. Cuddles Silver badge

    Why blame Intel?

    Some people don't bother to change default passwords, so someone physically present who types in the correct password can access things. This is not in any way Intel's fault, and it's ridiculous to describe "user doesn't bother to change password" as "weak security by manufacturer".

  24. Stoneshop Silver badge
    Facepalm

    Re: Why blame Intel?

    Some people don't bother to change default passwords,

    If the manufacturer puts in a feature requiring a strong password, then a request to set a strong password should be issued on setting up the system. If not set or left default the option should be disabled.

  25. Dave Pickles

    Re: Why blame Intel?

    Because this one password, which a corporate user likely does not know exists, and which probably doesn't have expiration or complexity requirements, potentially gives unauditable access not only to the contents of the machine but to other systems the user may use.

  26. Pascal Monett Silver badge

    Sorry, but i disagree. We're talking corporate user, meaning someone who has the backing of an IT department which is supposed to have done its job learning what kind of kit it purchased.

    This has nothing to do with Joe User who doesn't have a snowball's chance in Hell of understanding what is going on. This is corporate stuff, and corporations are not supposed to be stupid enough to leave admin passwords unchanged.

  27. s2bu

    Not really

    I bought a “corporate” level laptop from Lenovo because I needed something durable and they offer a great warranty. My laptop thus came with AMT even though I’m my own IT department. So no, not every user that has AMT has a corporate IT department to set it up.

    To add insult to injury, it comes loaded with Intel software that tells me that AMT is enabled and secure mode is disabled, but no option in said software to toggle either one!

  28. John Brown (no body) Silver badge

    Re: Why blame Intel?

    "If the manufacturer puts in a feature requiring a strong password, then a request to set a strong password should be issued on setting up the system. If not set or left default the option should be disabled."

    When setting the AMT password, it insists on a quite strong password including mixed case, numbers, symbols, the usual crap. But only if you actually go into the settings to do that.

  29. Gordon 10 Silver badge

    Re: Why blame Intel?

    Every time my ISP sends me a new router they also give me a semi-random sid and wpa key, if those muppets can do it why can't Intel and the laptop manufacturer for the AMT password?

    Management Engine was a stupidly complex solution for a fairly minor problem and a classic case of cognitive bias. We have a problem - we're good at making new CPU's - let's use one!

  30. Zippy's Sausage Factory

    I'm guessing Intel will say "not a big issue as it requires access to the laptop."

    Clearly they've never been to Starbucks and seen someone leave their PC unattended while they pop for a pee...

  31. This post has been deleted by its author

  32. Anonymous Coward
    Anonymous Coward

    BIOS passwords

    The BIOS passwords on every Dell I've messed with that had one set was easily bypassed using a password generator:

    http://www.tech-faq.com/reset-dell-bios-password.html

  33. Anonymous Coward
    Anonymous Coward

    Intel need to stop shoving cr*p into their designs

    Maybe if every cpu manufacturer kept it simple and secure, we could someday have Machine Independent Operating Systems which sit atop wrapper layers providing services like AMT if that's corps want, for their machines?

  34. Walter Bishop Silver badge
    Facepalm

    Re: Intel need to stop shoving cr*p into their designs

    "Maybe if every cpu manufacturer kept it simple and secure"

    The problem is chiefly complexity and the propensity to add even more features to differentiate the product from their competitors. And the fact that there is little to no sanctions for shipping such defective product.

    Does Intel actually have a department dedicated to finding bugs (or erratum as they refer to bugs in their internal documents) in their processors, instead of waiting on reports from some third party security researcher.

    Meltdown and Spectre and similar type bugs being a results of the attempt to squeeze some more speed-of-execution out of the basic X86 design. Maybe Intel should move to a simple RISC CPU that communicates with others through high speed bidirectional asynchronous serial lines and run the OS on top of this as a virtual machine. Lets call the architecture the Transputer. Each manufactured could create a unique configuration in the chipset, that way there wouldn't be the danger of a virus infecting its way through a monoculture.

  35. Loud Speaker Bronze badge

    Re: Intel need to stop shoving cr*p into their designs

    Does Intel actually have a department dedicated to finding bugs<P>

    Possibly. The problem would appear to be that they have a great many departments dedicated to implementing bugs.

  36. P. Lee Silver badge
    Coat

    Physically Separate, Dedicated, Management Interface

    Job done.

  37. ecofeco Silver badge

    Not enough face palm

    Biggest face palm ever.

  38. Anonymous Coward
    Anonymous Coward

    Can someone tell me how come this only affect laptops?

  39. pssst3

    Intel isn't the security issue here, people are.

    "as this is most likely unchanged on most corporate laptops"

    This issue is the same problem as leaving the front door of a building unlocked and unattended - lack of physical security. It isn't the fault of the door or the lock manufacturer, but a failure of corporate management to practice due diligence.

    If someone cannot get into a building who should not be there, someone cannot gain physical access to a computer who should not have it, and there is no security system that prevents "inside jobs".

    It has been proven time and time again that shared passwords can not provide high level security, and that data stored on a "personal" computer is insecure, even if it is encrypted in the machine's storage.

    In practice, it would be virtually impossible to have a separate password for every computer in a corporation. Hundreds or thousands of machines are maintained by a staff of dozens with 25% annual turnover. Even if a corporation had its IT department set a BIOS password, it is ridiculous to assume that password would not leak, and there is no simle way to change thousands of passwords.

    In the case of the Intel/BIOS issue, the fundamantal architecture of the modern computer is a kludge of insecure components, integrated into an unreliable appliance that is administered by unreliable people with no system of standards that they are held accountable for following.

    The closest thing to a secure PC is a one that assumes it has been hacked, has NO firmware configuration and has multilevel secure boot that checks BIOS, kernel, OS and apps every time that the machine is started up. If that machine is connected to a network the network must be equally secured.

    The poor quality software available today that requires a constant stream of updates and patches,is defective from date of inetallation through retirement. Of course it has security loopholes.

  40. Jaap Aap

    Why bother? The bitlocker code is probably somewhere on a post-it on the machine itself.

    Anyway, I manage all IT for a small company (about 35 computers). I don't have anthing setup to update AMT firmware remotely. We're not even using it.

    So, because I'm tired of all these intel AMT security issues I have decided to use me_cleaner on every bios update from now on. This is of course very handy for systems with an older AMT, that's full of security holes, and that's not getting any updates.

    https://github.com/corna/me_cleaner

  41. jms222 Bronze badge

    Isn't me_cleaner a case of stable and bolted horse ?

  42. Jaap Aap

    Using me_cleaner now may sound like it's too late for this issue. But it will be very handy when the next security issue comes around, next month or so.

  43. Name3

    When will Intel provide patches to allow us to disable Intel AMT, that Minix3 based second CPU is a big open "designed" security hole.

    Either provide CPUs without Meltdown and AMT, provide a patch to disable AMT or give us a refund, so that I can buy from a competitor.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018