Intel's Remote Hijacking Flaw Was 'Worse Than Anyone Thought'

An anonymous reader quotes Ars Technica: A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday... AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string -- or no text at all...

"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme." A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion... Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware... The packets bypass the OS completely.
The article adds that Intel officials "said they expect PC makers to release a patch next week." And in the meantime? "Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers."

Saturday Ars Technica found more than 8,500 systems with an AMT interface exposed to the internet using the Shodan search engine -- over 2,000 in the United States -- adding that "many others may be accessible via organizational networks."

Predictable outcome

Putting Internet accessible code running over the operating system was a terrible idea and this is the predictable outcome.The implementation was totally brain dead and wasn't even tested beyond "works in correct usage cases." This is the reason projects like Libreboot exist.

Re: Predictable outcome

[sexconker]

"Let's see a suit and a recall of millions of laptops. I'd love to see Intel out of business"
Apple laptops aren't effected, even if they run Windows in a VM. The chips that Intel ships to Apple don't have AMT enabled.
Of course if there is a massive revolt against the OEMs who implemented this because Corporate IT lazy-asses requested it, that means more MacBooks sold, which of course will continue to run on AMT-Free Intel chips.
Win-Win... but not for Windows.

The chips that Intel ships to Apple don't have AMT enabled.

I'm destroying some mods on this thread by posting, but I need to correct your very wrong post.

It's still physically present. No one except Intel knows what is actually baked into it and what's actually turned on at any given point. That's the fucking problem. That's why we're in this mess to begin with.

Responsibility for such flaws

[NuclearCat]

When companies will bear responsibility for flaws in such features, as AMT encrypted and obfuscated from 3rd party analysis and management, and enabled by default, and for such screw ups they will pay hefty fines, they will think twice, before making features work such way.

And people wonder why . . .

Russian and Chinese government agencies have been passively or actively promoting the development of a domestic semiconductor industry.

Whoopsie? No way

[JustAnotherOldGuy]

" AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string -- or no text at all..."

I find it hard, very very hard, to believe that this was an accident or just the result of stupid coding. This was either deliberate or was some carefully planned subversion somewhere along the tool chain.

Re:It's time to hold engineers liable

[sjames]

The employers aren't currently held responsible either.

The problem is that the developers have no power over management to make them do the right thing. Unless and until they do, it isn't reasonable to hold them responsible. They can't make their employer do QA tests, they can't make the employer push the schedule back, and they can't prevent the premature release of a product.