Time to dump Intel stock for AMD?
(I do not support any particular trades. TechnicalBen takes no responsibility for bad trading or gives no advice. Terms and conditions apply. I commented only as this is starting to look BAAAAAD. :P )
Security shortcomings in Intel's Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers. Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 …
“Arguably, it's AMD's fault for not being strong enough competition for some years now.”
As far as I can tell, the only way they are weaker is in the marketing department. Intel generally have naming conventions that people think they understand (e.g. 7th gen i3 versus 8th gen i5).
And exactly why is this anything to do with Intel? It may be an Intel product but the issue is a human problem. I would hope that any IT team working with AMT would have changed the default password. If they have not then they are morons.
This is just the same as leaving the default password on a router when every router has the same one.
At a corporate level they cannot randomise the initial password easily due the overhead to then commission it.
Worked on an Intel led software project between multiple 3rd party companies and it was a total shit show. The most surprising thing to me at the time was that the reference hardware we were supposed to test on was flakier even than the software and would crap the bed regularly. Now not surprising at all. This was back in the high flying Meego days. There were many good reasons why you didn't see many x86 phones/tablets running Meego back then.
It's really quite hilarious how Intel managed to take a very solid and portable base that Nokia had (Debian + Qt) and make all the perfectly wrong decisions so as to add up to a horribly shaky and unportable end product. But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . . .
Intel NIC firmware is horrid as hell. I had a bunch of NEW X520 and X740 cards that I sold as used on eBay at a loss just because I got tired of dealing with the bugs. It was so bad that they were useless. Went to Chelsio and never looked back. It was so bad that Intel pulled the firmware release. In their infinite wisdom, the firmware flasher made a backup, but there was no way to apply it as you couldn’t downgrade the card once it was flashed! The stupid card would end up removing its own MAC out of its own internal filter and so would just drop all packets.
>This is why you try to stay away from interacting with the HW as much as possible
Exactly what we did but ultimately rubber had to meet the road and like a whole bunch of other stuff back then Intel upper management took one look and was like nope cut the cord immediately as we suck at mobile. For me was just happy to have some work even if contracting during depths of great recession and it got me in the door of another shop just as the shit house burned. Considering back in the semiconductor industry also taught me to stay the hell away from anything Intel.
>But man, yeah, you'd think if they could get anything right it would have been the hardware, and yet . .
Passwords suck as security because anyone can use them. You don't even need to go to a hardware store to make a copy.
A password that is never set from the default is known to thousands.
A password on a corporate machine that is one of many, IF it is set, has the same password as all the other machines.
A physical lock on a computer case, a BIOS that can't be accessed without opening the case, either of these better security than a BIOS password, bacause they require an instrument and more time.
If you want a computer to be secure, LOCK IT IN A drawer when you are not using it.
1. AMT, as implemented, was always a bad idea. As with UEFI, it has more to do with reclaiming control over a user's PC than any security measure—security is always the 'justifiable' excuse to take control away from the user. What Intel, Microsoft et al primarily want is to make the PC more proprietary and they have been doing so for years.
2. "I'm starting to wonder if there is anything they bothered to design correctly?"
You're correct. Look at Intel's record, it goes back decades. Now, we've not only Intel's AMT stuff-up but also the other big news that of the monumental problem of the 'Meltdown' and 'Spectre' chip bugs.
3. However, long before these fuck-ups there was the Pentium bug—remember that? What's fundamentally important to remember about the design flaw in the Pentium chip is that the very nature of the bug itself was the result of substandard and irresponsible engineering design—one that any first year engineering student could easily have pointed out.
The Pentium bug was in the ANSI/IEEE floating point standard subsection (the once 8087 IEEE math chip). Essentially, in order to speed up the chip Intel did the unthinkable, instead of implementing proper algorithms to do floating point mathematics as per the 8087, Intel took a shortcut and in part used a lookup table which was inherently prone to errors—and naturally calculation errors manifested themselves.
Whenever I think of this error I wince. It says much about Intel's deign philosophy which essentially put profits over data integrity. If Intel were prepared to commit such a cardinal design sin in the name of profit then we should be prepared to expect anything from the company.
Good post. I knew about the maths bug, but I didn't know about the lookup table. Sounds like a typical Intel screw up/shortcut, not that anything they do surprises me. I completely agree with you about Intel's 'design philosophy' being all about the money. They'll do absolutely anything to boost performance by any means in order to compete/appear to beat their rivals, regardless of any consequences no matter how bad they might be for anyone. They originally started off trying to make RAM but that didn't work properly either. It says it all really...
The only things Intel are any good at are PR, hiding behind NDAs to cover up their many mistakes, and using their mountains of cash to portray themselves and their substandard products as the premium choice while crushing the competition.
Some people don't bother to change default passwords, so someone physically present who types in the correct password can access things. This is not in any way Intel's fault, and it's ridiculous to describe "user doesn't bother to change password" as "weak security by manufacturer".
Sorry, but i disagree. We're talking corporate user, meaning someone who has the backing of an IT department which is supposed to have done its job learning what kind of kit it purchased.
This has nothing to do with Joe User who doesn't have a snowball's chance in Hell of understanding what is going on. This is corporate stuff, and corporations are not supposed to be stupid enough to leave admin passwords unchanged.
I bought a “corporate” level laptop from Lenovo because I needed something durable and they offer a great warranty. My laptop thus came with AMT even though I’m my own IT department. So no, not every user that has AMT has a corporate IT department to set it up.
To add insult to injury, it comes loaded with Intel software that tells me that AMT is enabled and secure mode is disabled, but no option in said software to toggle either one!
"If the manufacturer puts in a feature requiring a strong password, then a request to set a strong password should be issued on setting up the system. If not set or left default the option should be disabled."
When setting the AMT password, it insists on a quite strong password including mixed case, numbers, symbols, the usual crap. But only if you actually go into the settings to do that.
Every time my ISP sends me a new router they also give me a semi-random sid and wpa key, if those muppets can do it why can't Intel and the laptop manufacturer for the AMT password?
Management Engine was a stupidly complex solution for a fairly minor problem and a classic case of cognitive bias. We have a problem - we're good at making new CPU's - let's use one!
"Maybe if every cpu manufacturer kept it simple and secure"
The problem is chiefly complexity and the propensity to add even more features to differentiate the product from their competitors. And the fact that there is little to no sanctions for shipping such defective product.
Does Intel actually have a department dedicated to finding bugs (or erratum as they refer to bugs in their internal documents) in their processors, instead of waiting on reports from some third party security researcher.
Meltdown and Spectre and similar type bugs being a results of the attempt to squeeze some more speed-of-execution out of the basic X86 design. Maybe Intel should move to a simple RISC CPU that communicates with others through high speed bidirectional asynchronous serial lines and run the OS on top of this as a virtual machine. Lets call the architecture the Transputer. Each manufactured could create a unique configuration in the chipset, that way there wouldn't be the danger of a virus infecting its way through a monoculture.
"as this is most likely unchanged on most corporate laptops"
This issue is the same problem as leaving the front door of a building unlocked and unattended - lack of physical security. It isn't the fault of the door or the lock manufacturer, but a failure of corporate management to practice due diligence.
If someone cannot get into a building who should not be there, someone cannot gain physical access to a computer who should not have it, and there is no security system that prevents "inside jobs".
It has been proven time and time again that shared passwords can not provide high level security, and that data stored on a "personal" computer is insecure, even if it is encrypted in the machine's storage.
In practice, it would be virtually impossible to have a separate password for every computer in a corporation. Hundreds or thousands of machines are maintained by a staff of dozens with 25% annual turnover. Even if a corporation had its IT department set a BIOS password, it is ridiculous to assume that password would not leak, and there is no simle way to change thousands of passwords.
In the case of the Intel/BIOS issue, the fundamantal architecture of the modern computer is a kludge of insecure components, integrated into an unreliable appliance that is administered by unreliable people with no system of standards that they are held accountable for following.
The closest thing to a secure PC is a one that assumes it has been hacked, has NO firmware configuration and has multilevel secure boot that checks BIOS, kernel, OS and apps every time that the machine is started up. If that machine is connected to a network the network must be equally secured.
The poor quality software available today that requires a constant stream of updates and patches,is defective from date of inetallation through retirement. Of course it has security loopholes.
Why bother? The bitlocker code is probably somewhere on a post-it on the machine itself.
Anyway, I manage all IT for a small company (about 35 computers). I don't have anthing setup to update AMT firmware remotely. We're not even using it.
So, because I'm tired of all these intel AMT security issues I have decided to use me_cleaner on every bios update from now on. This is of course very handy for systems with an older AMT, that's full of security holes, and that's not getting any updates.
Biting the hand that feeds IT © 1998–2018