Sign in / up

back to article Intel AMT bug bit Siemens industrial PCs

You don't need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week. The bug in Intel's Active Management Technology emerged in June. It allowed a user to exploit AMT features with an empty login string, and has been shipping in …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. John Smith 19 Gold badge
    Gimp

    "intel Inside"

    Spying on you.

    "which was vulnerable to crafted packets over HTTP or HTTPS"

    IOW someone had botched the implementation of an HTTP/HTTPS parser.

    Question is was it written in house by Siemens or did they use a library from someone else?

    If the latter then potentially anyone else who did will also inherit that set of flaws.

    1 2 Reply
    1. schmerg
      Reply Icon

      Re: "intel Inside"

      No, it wasn't the HTTP parser that was botched, it was the password check code. It effectively checks the number of characters of password received against the actual password, and if there are no discrepancies, then it lets you in. Hence a constrcuted HTTP packet of a login with a zero length password gets you in.

      And the code was written by Intel - this is built into the chips biut is NOT using the x86/x64 CPU (which is one of the things that makes it particulaerly nasty).

      See more details here

      https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

      8 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: more details here

        And/or go direct to the source: Charlie Demerjian at SemiAccurate:

        http://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

        "The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

        First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

        [continues]

        "

        and the next day,

        http://semiaccurate.com/2017/05/03/consumer-pcs-safe-intel-meamt-exploit/

        "Are consumer PCs safe from the Intel ME/AMT exploit?

        TLDR; There is a remote control mechanism in hardware that cannot be fully disabled and you cannot get Intel hardware without it. So while this patch may fix the current vulnerability this situation points to the urgent need for hardware diversity.

        Monday SemiAccurate brought you news of a critical remote exploit in all 2008+ Intel CPU’s. Today we will walk you through a chain of thought based on further investigation on how it could be exploited.

        Confidence Levels:

        While this is only analysis we will note that we believe this is in the wild right now. We would like to make very clear that none of the information here has been publicly proven. However, follow us on an excursion and let us know if you come to a different conclusion. Or if you have other enlightening information, please send it our way.

        [continues]"

        Share and enjoy.

        10 0 Reply
        1. h4rm0ny
          Reply Icon

          Re: more details here

          One of the most interesting parts of that very good article was Semi-Accurate's belief that the bug was still there at the request of State Intelligence organizations. They cannot prove it but they support it with some good argument.

          Which makes the opening paragraph of this article a little misjudged. There's a strong probability that the AMT flaw IS the result of state interference.

          1 0 Reply
        2. Alan Brown Silver badge
          Reply Icon

          Re: more details here

          I'd be a lot happier about going to semiaccurate.com if the https version didn't have a _revoked_ security certificate.

          0 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: security certificate

            "I'd be a lot happier about going to semiaccurate.com if the https version didn't have a _revoked_ security certificate."

            Interesting. As the IT people often say, "it works for me".

            As the IT people rarely say, "how would I investigate further?" Me: Win7 Pro (up to date), Firefox 54.0.1 (up to date).

            0 0 Reply
      2. John Smith 19 Gold badge
        Reply Icon
        WTF?

        " It..checks the number of characters of password received against the actual password,

        and if there are no discrepancies, then it lets you in."

        Just to be clear you're implying that they don't even check the actual password against the entered password? Are you sure that's what you mean as that's a real "WTF?" moment right there.

        On the upside that limits the bug to Siemens systems only.

        "And the code was written by Intel - this is built into the chips biut is NOT using the x86/x64 CPU (which is one of the things that makes it particulaerly nasty)."

        I am aware of this. But Intel still mfg the chip, even if they basically cut and pasted the MIPS processor, and its code, without any apparent pen testing.

        0 1 Reply
        1. bazza Silver badge
          Reply Icon

          Re: " It..checks the number of characters of password received against the actual password,

          Just to be clear you're implying that they don't even check the actual password against the entered password? Are you sure that's what you mean as that's a real "WTF?" moment right there.

          Unless things have changed since I last read about it; they do check the entered password against the set password, but only if the entered password has more than zero characters. Give it a zero length password and it thinks that everything is a-ok. It was down to a misuse of the strcmp() function.

          It's a serious cock up. Knowing the basic architecture and functionality many people have been theorising able the possibility of this kind of bug, but this was an absolute peach. There's going to be more I suspect.

          1 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: " It..checks the number of characters of password received against the actual password,

          "On the upside that limits the bug to Siemens systems only."

          Why do you draw that conclusion? Everything else I've seen says that any Intel-based kit with the affected Intel chipsets is affected, regardless of whose badge is on the system.

          "Just to be clear you're implying that they don't even check the actual password against the entered password? Are you sure that's what you mean as that's a real "WTF?" moment right there."

          Apparently correct. Absolutely a WTF moment, and yet people aren't paying attention.

          "Code dive You can remotely commandeer and control computers that use vulnerable Intel chipsets by sending them empty authentication strings.

          You read that right. When you're expected to send a password hash, you send zero bytes. Nothing. Nada. And you'll be rewarded with powerful low-level access to a vulnerable box's hardware from across the network – or across the internet if the management interface faces the public web."

          from https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

          1 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    If the vulnerablity cannot be removed by software

    then where is the hardware recall?

    5 0 Reply
    1. kain preacher
      Reply Icon

      Re: If the vulnerablity cannot be removed by software

      Only for the big customers if any. You have atom chips that that die at random. Borked chip sets for broad band modems. Oh and the cherry on the top. Chips that can be hacked going back 8 plus years. Time to ban Intel from military contracts.

      13 0 Reply
    2. dnicholas
      Reply Icon

      Re: If the vulnerablity cannot be removed by software

      On eleventy billion machines?

      4 0 Reply
    3. h4rm0ny
      Reply Icon

      Re: If the vulnerablity cannot be removed by software

      >>then where is the hardware recall?

      This is absolutely huge. A product recall would put a big dent in even Intel's enormous pockets.

      1 0 Reply
  3. kain preacher

    Recall ?

    You hear that? That is he sound of activist investors getting ready so sue intel if they do a recall. I do believe carl icahn owns stock in intell.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Recall ?

      "the sound of activist investors getting ready so sue intel if they do a recall."

      And in the other corner, the sound of investors in Dell, HP, etc, getting ready to sue these companies if they/Intel don't do a recall (re AMT, Atom, whatever other defective products Intel may have shipped recently).

      Seems like the only way ought to be down for INTC..

      4 0 Reply
      1. kain preacher
        Reply Icon

        Re: Recall ?

        And in the third corner class action lawyers lining up to say hey we will look out for you the little guy. I have a funny feeling that intel is going to help some attorneys fund their 2nd or 3nd house and swimming pool full of cash. And that's just on this side of the pond. No telling what the EU might do. I do believe the phrase not fit for purpose comes to mind.

        6 0 Reply
    2. Mpeler
      Reply Icon
      Mushroom

      Re: Recall ?

      Icahn. I sue. I sell.

      Total Recall...

      Let the games begin, with the corporate locusts.

      AMT for thee, but not for me.

      0 0 Reply
  4. Voland's right hand Silver badge

    Seems like the only way ought to be down for INTC..

    According to an 800 pound gorilla acquaintance of mine - size matters.

    3 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like