Back in 2016, we published a good technological explainer about Intel’s Management Engine, an evolution of the decade-plus old idea of “Trusted Computing,” in which a separate, isolated system-on-a-chip lives alongside of your computer, performing cryptographic work and overseeing the functions of your computer.
Conceptually, this idea has some real utility (an example of it can be found in the introspection engine that Bunnie Huang and Ed Snowden are collaborating on), but the devil is in the details: trusted computing can also be used to take away control from the computer’s users, allowing corporations to shut out their rivals (even when it works as intended) and allowing attackers to run undetectable, unstoppable code (when the developers make mistakes). So this kind of thing requires both good intentions and perfect technical execution.
Alas, Intel has neither.
Less than a year ago, a terrible series of attacks on Active Management Technology surfaced, which Intel has been scrambling to patch. These attacks were sophisticated and involved real technical wizardry.
But this week, security researchers with F-Secure published a report on a new, dangerous defect in AMT, and this one is a total no-brainer.
Here’s how it works: when you reboot a computer, you can hold down a special key (usually F12) to enter the BIOS menu. From there, if you select Intel’s Management Engine BIOS Extension (MEBx), you can “change the password, enable remote access, and set the firmware to not give the computer’s user an ‘opt-in’ message at boot time.” Basically, you can seize control over the computer in a way that is undetectable and unstoppable for the user.
It’s not hard to mitigate this attack: just set a password for MEBx. Unfortunately, most OEMs don’t do this, so “admin” works on millions of systems. Every system F-Secure tested was vulnerable.
Now, it’s true that you need physical access to effect this attack, but the physical access you need is extremely short, and leaves no trace: starting from a computer that is switched off, you boot it with the F12 held down, enter a few keystrokes and shut it down again. Given that Trusted Computing is supposed to defend against drive-by physical attacks (because the Trusted Computing Module is tamper-evident), this represents a serious inroad against AMT.
Intel’s response amounts to “We keep telling OEMs to set a password for MEBx, but they don’t, so ¯\_(ツ)_/¯.”
Late last month, Intel issued guidelines on best practices for configuring AMT to prevent these and other types of AMT-based attacks on PCs. In the “Q&A” document, Intel acknowledged the problem, but put the onus on PC manufacturers for not properly following Intel’s advice:
If the Intel MEBx default password was never changed, an unauthorized person with physical access to the system could manually provision Intel AMT via the Intel MEBx or with a USB key using the default password. If the system’s manufacturer has followed Intel’s recommendation to protect the Intel MEBx menu with the system BIOS password, this physical attack would be mitigated.
Sintonen said that all the laptop computers he had tested so far were vulnerable to the attack.
Researcher finds another security flaw in Intel management firmware [Updated] [Sean Gallagher/Ars Technica]