Intel's Management Engine, a secure-computer-within-your-computer, is really, really insecure


#1

Originally published at: https://boingboing.net/2018/01/13/admin-admin.html


#2

Check out this project to cripple all but the mandatory components of the IME:

There are some active FOSS projects to replace this kind of low level software:


#3

If the OEM:s set a password it guaranteed to be the same for all their computers so it won’t really help.


#4

Intel is still locked into the idea that the OEM sets the system password and locks the user out, permanently retaining control. Which, after all, is what “trusted [1] computing” was about from Day One.

OEMs, on the other hand, had five alternatives:

  1. Don’t set the password
  2. Set it to a documented universal value for that computer type (no more secure than 1, above)
  3. Set it to an undocumented universal value for that computer type (no more secure than 1, above, but much more expensive to support)
  4. Set it to a unique but documented value for that particular computer (secure, but likely to brick the system and horribly expensive to support)
  5. Set it to a unique secret value for that particular computer (secure only for the OEM, expensive, likely to brick the system, and a sales-killer.)

The MPAA would have preferred (5), and that’s what we expected. The OEMs wrote off (2) as worthless and the rest as business suicide. Which is how we got (1).

[1] Later remarketed as “trustworthy computing,” but both before and after about “You trusted us (sucker!)”


#5

Oh gee, people who don’t setup a password to protect their BIOS or change the default IME engine password are complaining that anyone who has physical access to a PC can change the IME setup and enable remote access…

People who work in security have known this for years and setting either a BIOS password or changing the IME password prevents it.

Really, really insecure, just like leaving your keys in the lock is insecure, snort.


#6

Last thing I’d ever want is the OEM’s setting this password. That would allow them or anyone with that password to do what you describe and the user would have no way to stop it like they do now.

I’d rather they include instructions to set it when you get your computer and/or make that part of the initial setup process so users can set it themselves to something only they know, or corporations can set it as desired for the corporation. Setting it at the OEM level prevents both unless they divulge what they set it to which triggers either the need for a new system to set and track each one individually or a universal one which is just as insecure as none. No thanks.


#7


#8

Except in this case the key is invisible and most people don’t know it even exists. How many “Welcome to your new computer” setup instructions even mention setting this password?


#9

The ME has saved me from bricking a couple times, which is nice. But holy shit, does it provide a lot of capability to an attacker. Found this on Wikipedia:


#10

You did read the part about setting a bios password that prevents anyone from mucking around in your settings (IME or not) and that anyone truly concerned with security would already have set, preventing IME reconfiguration, right? BIOS passwords aren’t exactly hidden or secret and yet are extremely rarely set.

Again, this is people like Cory who habitually left a copy of their doorkey under the mat complaining that there is a way for people to unlock his back door from inside his house.


#11

Well, for good reason. Hear me out: the last timr I actually needed BIOS access was thr fifth of notever. On my desktop, I set a password some eight years ago. A password that I do not, at all, remember. No battery to remove on the motherboard, so… Yeah.


#12

set up even if they were decent cough enough to get this on are they not going to have something else going on on the top side


#13

Handwave this all you want, but physical access to your computer is game over - AMT or not. It’s one of the most basic tenets of computer security.


#14

Intel ME is useless to the average user anyway. I don’t even install drivers for it when setting up a new Windows system; it just adds unnecessary bloat (at least one system service iirc). There will be an Unknown device exclamation mark in Device Manager but then you simply disable the device, which seems to be a good idea anyhow.


#15

Note: F2 will usually take you directly into BIOS. F12 takes you to a menu where you can choose to go into BIOS, or boot from CD or other device (USB for example if you have a bootable one installed), or run diagnostics depending on the make/model.

Small quibble I know, but accuracy is helpful.


#16

If you couldn’t cares less about security, you have no cause to complain when someone with physical access to your kit sets up it’s IME for remote access.

For those that do care about security, they’d use something like a letter with the bios password in a safe or a password manager like 1password/keepass/…


#17

Setting a BIOS password doesn’t set an AMT password - my employer’s workstations all have a BIOS password to keep people from trying silly things that brick their workstation.

We tested the AMT thing, and it worked just fine, no need to know the BIOS password.


#18

For a wonderful illustration of how general IT folks think differently from security folks - here’s a writeup of the AMT vulnerability from 2011, except that the writer wasn’t a security guy, so it’s entirely seen as a “golly, isn’t this a handy feature” sort of thing.


#19

Could you tell us which PC maker(s) allow IMT reconfiguration without entering the BIOS password?

AMT = Intel AMT. Spurious question edited out…


#20

Do you not agree that it would be better if all software is shipped as secure by default?

Do you take pleasure in seeing other peoples computers get hacked/infected because they are not as technically skilled and diligent as you are?

Do you not see that this also affects you? Hacked computers become bot nets that also DDoS services you use, the hospital you are staying at could be hit by a ransom-ware attack.

You can argue that this is not a issue because if you follow best practice there is no possibility to abuse this specific feature, this is technically true (the best kind of true) it is also totally really unrealistic because 99% of users don’t follow those best practices and never will. You can feel all superior (rightfully so, your in the 1% of users that even dares to enter the BIOS, good job!) but that will not make us all any more secure.