Fractal Design Pop Air RGB Black TG review
Palit GeForce GTX 1630 4GB Dual review
FSP Dagger Pro (850W PSU) review
Razer Leviathan V2 gaming soundbar review
Guru3D NVMe Thermal Test - the heatsink vs. performance
EnGenius ECW220S 2x2 Cloud Access Point review
Alphacool Eisbaer Aurora HPE 360 LCS cooler review
Noctua NH-D12L CPU Cooler Review
Silicon Power XPOWER XS70 1TB NVMe SSD Review
Hyte Y60 chassis review
New Security Flaw Hits Intel, Laptops this time
F-Secure has reported another serious flaw in Intel hardware, which could enable hackers to access corporate laptops. Standard password of Intels Management Engine BIOS Extension are rarely changed and can invoke business laptops vulnerable to unauthorized remote access, claims F-Secure.
Intels Management Engine BIOS Extension, or MEBx, contains the standard log-in combination 'admin', 'admin' and because many users simply do not change it, according to F-Secure this opens the door to an easy to set-up attack. Attackers can open the BIOS Extension during startup with Ctrl + P, even if the user has set a bios password. Then they can manage settings of the Management Engine, reports dw.com.
"The issue potentially affects millions of laptops globally," said F-Secure consultant Harry Sintonen, who discovered the flaw. "It's of an almost shocking simplicity, but its destructive potential is unbelievable."
F-Secure said once an attacker had the chance to reconfigure AMT (for which he would initially need physical access to the device in question), the device could be fully controlled remotely by connecting to the same wireless or wired network as the user.
"No other security measures like full-disk encryption, local firewall, anti-malware software or VPN technology are able to prevent exploitation of this issue," Sintonen warned.
A successful attack would lead to complete loss of confidentiality, integrity and availability, with the attacker able to read and modify all of the data and applications users have access to on their computers, even at the firmware level.
kruno
Senior Member
Posts: 260
Joined: 2017-09-25
Senior Member
Posts: 260
Joined: 2017-09-25
#5510165 Posted on: 01/12/2018 06:58 PM
Cr*p, did they even patched last hole in AMT
Cr*p, did they even patched last hole in AMT
kruno
Senior Member
Posts: 260
Joined: 2017-09-25
Senior Member
Posts: 260
Joined: 2017-09-25
#5510166 Posted on: 01/12/2018 06:59 PM
Hardly,lawsuits in USA has already begun, in any way this "blunders" is going to cost them dearly
So these recent vulnerabilities have been around for the past 10 years. Surely they can't have just been discovered only now. Which begs the question - is this all just a ploy to get people to upgrade to Intel 9th gen processors later this year? Processors which will no doubt be assured by Intel to be much safer and immune to these vulnerabilities? Just think - all those old pentiums and celerons that have been inside business computers (still working just fine) yet now needing to be swapped out and upgraded to ensure full safety on a hardware level. Such a plan could backfire and switch people over to AMD. But then AMD isn't without its vulnerabilities now either... is it? Seems a very convenient way to get people to upgrade if you think about it. And over the last 10 years, who has hacked your machine at hardware level?
Hardly,lawsuits in USA has already begun, in any way this "blunders" is going to cost them dearly
Amaze
Senior Member
Posts: 3989
Joined: 2003-11-15
Senior Member
Posts: 3989
Joined: 2003-11-15
#5510167 Posted on: 01/12/2018 07:00 PM
This isn't a ploy
Ploys usually don't involve ruining your reputation for years to come.
This isn't a ploy
So these recent vulnerabilities have been around for the past 10 years. Surely they can't have just been discovered only now. Which begs the question - is this all just a ploy to get people to upgrade to Intel 9th gen processors later this year? Processors which will no doubt be assured by Intel to be much safer and immune to these vulnerabilities? Just think - all those old pentiums and celerons that have been inside business computers (still working just fine) yet now needing to be swapped out and upgraded to ensure full safety on a hardware level. Such a plan could backfire and switch people over to AMD. But then AMD isn't without its vulnerabilities now either... is it? Seems a very convenient way to get people to upgrade if you think about it. And over the last 10 years, who has hacked your machine at hardware level?
Ploys usually don't involve ruining your reputation for years to come.
Denial
Senior Member
Posts: 13755
Joined: 2004-05-16
Senior Member
Posts: 13755
Joined: 2004-05-16
#5510168 Posted on: 01/12/2018 07:06 PM
This isn't a flaw in Intel hardware also I'm not sure why you posted this article and not the original F-Secure press release. This article states that it requires physical access, which is true - but it also requires the company to not disable AMT and/or change the default username/password for AMT - which is a configuration problem, not a hardware flaw.
The F-Secure article specifically states this:
Intel can fix this by simply updating the default configuration - but companies could also be avoiding this by following best practices for AMT provisioning.
Why can't they just have been discovered just now? Problems with speculative execution have been known for a while:
https://hackaday.com/2018/01/08/speculative-execution-was-a-troublemaker-for-xbox-360/
But the security aspects of those flaws haven't. Like I keep reading people saying "Intel knew about the backdoor but wanted the performance" or whatever - but what about ARM/Apple/IBM/Microsoft/Linux Kernel devs that are also shipping meltdown affected parts and/or knew about speculative execution issues? Or the various security companies that audit this hardware rather frequently?
It was clearly overlooked.
This isn't a flaw in Intel hardware also I'm not sure why you posted this article and not the original F-Secure press release. This article states that it requires physical access, which is true - but it also requires the company to not disable AMT and/or change the default username/password for AMT - which is a configuration problem, not a hardware flaw.
The F-Secure article specifically states this:
Is this a vulnerability?
Technically this is not a vulnerability, but a combination of a default password, insecure default configuration, and unexpected behaviour.
This issue has no CVE number, security update or new version available, yet it affects major vendors and large numbers of laptops. AMT has gained popularity over the past few years, and only the latest security guides from Intel highlight the importance of requiring a BIOS password for local provisioning. We have encountered this issue time and time again, and it is locally exploitable in practical situations even when laptops have otherwise been completely hardened. In other words, while Intel has written extensive guides on AMT, they have not had the desired impact on the real world security of corporate laptops. With this announcement our goal is to raise awareness so organizations can have the opportunity to mitigate the issue and improve security in the real world.
Technically this is not a vulnerability, but a combination of a default password, insecure default configuration, and unexpected behaviour.
This issue has no CVE number, security update or new version available, yet it affects major vendors and large numbers of laptops. AMT has gained popularity over the past few years, and only the latest security guides from Intel highlight the importance of requiring a BIOS password for local provisioning. We have encountered this issue time and time again, and it is locally exploitable in practical situations even when laptops have otherwise been completely hardened. In other words, while Intel has written extensive guides on AMT, they have not had the desired impact on the real world security of corporate laptops. With this announcement our goal is to raise awareness so organizations can have the opportunity to mitigate the issue and improve security in the real world.
Intel can fix this by simply updating the default configuration - but companies could also be avoiding this by following best practices for AMT provisioning.
So these recent vulnerabilities have been around for the past 10 years. Surely they can't have just been discovered only now. Which begs the question - is this all just a ploy to get people to upgrade to Intel 9th gen processors later this year? Processors which will no doubt be assured by Intel to be much safer and immune to these vulnerabilities? Just think - all those old pentiums and celerons that have been inside business computers (still working just fine) yet now needing to be swapped out and upgraded to ensure full safety on a hardware level. Such a plan could backfire and switch people over to AMD. But then AMD isn't without its vulnerabilities now either... is it? Seems a very convenient way to get people to upgrade if you think about it. And over the last 10 years, who has hacked your machine at hardware level?
Why can't they just have been discovered just now? Problems with speculative execution have been known for a while:
https://hackaday.com/2018/01/08/speculative-execution-was-a-troublemaker-for-xbox-360/
But the security aspects of those flaws haven't. Like I keep reading people saying "Intel knew about the backdoor but wanted the performance" or whatever - but what about ARM/Apple/IBM/Microsoft/Linux Kernel devs that are also shipping meltdown affected parts and/or knew about speculative execution issues? Or the various security companies that audit this hardware rather frequently?
It was clearly overlooked.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 1320
Joined: 2009-08-19
So these recent vulnerabilities have been around for the past 10 years. Surely they can't have just been discovered only now. Which begs the question - is this all just a ploy to get people to upgrade to Intel 9th gen processors later this year? Processors which will no doubt be assured by Intel to be much safer and immune to these vulnerabilities? Just think - all those old pentiums and celerons that have been inside business computers (still working just fine) yet now needing to be swapped out and upgraded to ensure full safety on a hardware level. Such a plan could backfire and switch people over to AMD. But then AMD isn't without its vulnerabilities now either... is it? Seems a very convenient way to get people to upgrade if you think about it. And over the last 10 years, how many times has your PC been hacked at hardware level?