Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Another Security Flaw In Intel Management Firmware (arstechnica.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

8 of 87 comments (clear)

  1. Firmware vs hardware by ArtemaOne · · Score: 3, Insightful

    Totally different things. I imagine they find software and firmware vulnerabilities all the time. Hardware is difficult to patch around, and obviously comes with the noteable performance hit.

  2. So, the flaw is the user forgot to set the lock? by El+Cubano · · Score: 4, Insightful

    If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password

    So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

    Now, you might argue that it should be more like keyless entry for an automobile: the manufacturer sets a code a and provides you a device (key fob) for entry. However, if Intel did that, they would be accused of making their products difficult to use or crippling them (because people would certainly lose their AMT key fobs and Intel would either be unable to recover them, or would charge a fee for the service) or taking advantage of the user (because they would certainly lose the key fob). Plus, that would make it an absolute nightmare for central IT, the target audience for this particular feature.

    The point is that if you are buying machines that have this capability, then you are buying mid-range to high-end business/professional stuff. AMT is not available on entry-level and most consumer gear. Besides, the people who don't bother setting the MEBx password on their systems (assuming they don't have central management through IT) are probably the same sort of people who buy a wireless AP, turn it on and leave the password set to the default and the admin function accessible over the wireless interface.

    Intel has problems, but this one is definitely way down on the list.

  3. Re:move on...requires physical access by Lunix+Nutcase · · Score: 3, Informative

    Not if the system wasn’t left open with a weak password default.

  4. Re:So, the flaw is the user forgot to set the lock by CanHasDIY · · Score: 4, Interesting

    I've worked in the IT field for 15 years - in academia, for financial institutions, for Fortune 500 companies, and at small, locally owned businesses.

    You would balk if you saw how many of the "top companies in America" don't give 2 shits about security, outside of whatever the latest CNN scare story is. I personally find it amazing how some of these corporations will spend tens of thousands of dollars on fancy security equipment.... that they never bother to actually configure.

    You can show your C-levels the lock and hand them the key, but you can't make them set the latch.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  5. Re:AMD by Qzukk · · Score: 3, Insightful

    Getting to the point where I'm going to have to dig out my old VIA-powered Wal-Mart PC to do my banking and such on to ensure security from hackers dropping javascript into my browser.

    At the very least, the slow speed means I'll realize pretty quickly when someone is trying to use it to mine cryptocurrencies.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. Re:So, the flaw is the user forgot to set the lock by InvalidsYnc · · Score: 4, Interesting

    I think the main point is that people don't realize that they have a "lock" that they need to change the combination on. Perhaps with additional education people can "check their sh*t" and see if it needs to be changed. Then the bad actor can just look under their keyboard for the PW, but at least it won't be "admin" anymore.

  7. Re:So, the flaw is the user forgot to set the lock by eddeye · · Score: 3, Insightful

    So, the "flaw" is that the user forgot to set the lock? I am stunned that this is considered a vulnerability/flaw. I mean, when I buy a new gun safe or document safe for my home or office, it comes from the factory with a default combination. I have to set it to one of my choosing. If I choose to not change the default combination, then that is on me.

    Bad analogy. The difference here is once the attacker turns on remote monitoring, it occurs silently. There's no indication that it's happened and no way to recover. If you forget the combination to your safe, then 1) it's obvious and 2) you can still retrieve the contents in other ways.

    This is not just a case of "stupid user". It's a poor design on Intel's part. Intel handed them a loaded shotgun with a hair trigger pointed directly at their foot.

    --
    Democracy is two wolves and a sheep voting on lunch.
  8. Obligatory: Intel CPU Backdoor Report (Jan 1 2018) by Anonymous Coward · · Score: 4, Interesting

    Change log:
    2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

    Intel CPU Backdoor Report
    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    [Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    @21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

    [Quotes] Vortrag:
    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    2017 Dec Update:
    Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleanerme_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Useful links (Added 2018 Jan 1):
    Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
    me_cleaner: Set HAP AltMeDisable bit with -S option
    Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
    EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
    Sakaki's EFI Install Guide/Disabling the Intel Management Engine
    Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
    CVE-2017-5689: An unprivileged network attacke