This doesn't seem like an exploit to me, it seems like saying that your WIFI AP has a security flaw because you didn't change the default password from admin/admin.
And it is worse than that, you have to have physical access to the machine. If you give a hacker physical access to a machine it's pretty much toast.
It's about enabling a backdoor of sorts in your laptop behind your back.
Let's say you're at a hotel with your laptop. It has full device encryption enabled and the BIOS is protected with a password and it has all the shebangs to protect your laptop -- so you should be safe, right?
Someone distracts you for 30 seconds while an accomplice backdoors your laptop with this vulnerability.
Five minutes later while you're happily browsing Hacker News with your laptop using the hotel WIFI, the attacker has full and unrestricted access to your laptop via the very same hotel WIFI.
The number negative-one rule in security is defense-in-depth. Even when you have a layer where a breach is considered catastrophic (physical access, behind the firewall...), you still add whatever measures you can to mitigate the potential impact.
What adtac said. If I let someone have physical access to any computer I own I fully expect to be compromised.
And here the issue is, as I understand it, I would have had to have left that AMT part in place with a default password. I get that it is geeky and maybe there should be a process where when you buy a new laptop they set the password to some unique thing and give you a sticky note with the password on it. I get that a lot of people won't know to change the management password, but that's an educational issue, just like people had to be taught to not use "1234" or "admin" as their login password.
Still seems like an over hyped issue but I guess that is part of the educational process.
I don't feel like this rises to the level of Meltdown or Spectre.
I understand your sentiment, but I would argue that this is a flaw. Vendors need to account for users' ability to notice and assess these sorts of details. While it's true that most/all defenses eventually fail to a determined attacker with unrestricted physical access, most users wouldn't suspect it'd be so easy for someone to orchestrate the attack in their presence without attracting notice.
Leaving AMT enabled with a default local password when it hasn't been explicitly provisioned is an oversight by the system manufacturers. Expecting users (particularly outside the enterprise environment) to discover the necessary security precautions (without any notable cues) is a problem.
Education may be a short-term solution, but it's no substitute for repairing the user experience, e.g., by disabling unused AMT features (and preventing them from being reenabled without authenticated access to a pre-boot or other system management environment). Save AMT security for the subset of system owners that need to take advantage of the feature.
I've got 4 dogs and live in a rural area. You'd have to be bat shit crazy to want to mess with my stuff.
That said, it's a silly argument. If you don't secure your devices then you're gonna have a bad time. Just a fact of life, it's always been that way. Give a hacker physical access to a box and enough time and they are getting in. I do it routinely if I forgot a root password, boot knoppix, fix the root password on the boot disk, reboot.
I think what you're missing is that if you don't use AMT, all of the other boot security built into the system can be bypassed. Presumably this is important because if you don't want to use AMT you probably would assume that it's secure by default, but it turns out it's not.
I see it as somewhere in-between. It is one more thing on a long list of things that is easy to forget when setting up a new machine. I do stuff related to this for a living and miss things sometimes[1].
It is not unreasonable for someone to expect setting up a BIOS password to mean all management functions should require it. Unfortunately, reality is such that, depending on platform, the answer will be, "oh, you meant those management functions, too. Yeah, no, you also have to stick a password there."
So yes, this falls under "documented behavior." It also falls under "unfriendly, annoying complexity that shouldn't be foisted on non-professional users", and possibly worse.
It all goes back to the ME being forced down everyone's throats. It means continued insecurity everywhere; the same deal with AMD means no choice. I'd love to see a foreign competitor - at least then one would be able to choose who sniffs their panties.
[1] Most recently, with a home storage system. I built it some time back, and later, after moving stuff around, switched the network port I had it plugged into. I monitor my own network, including IP sweeps, which is the only reason I noticed the SuperMicro motherboard had grabbed a second IP address and was running a ME webapp with a default password.
Now, on one hand, I should have read the manual. Building a machine from components requires a certain degree of paying attention, and I didn't. On the other hand, this is an absurd default. In 2018, no system should ship out of the box with a giant Root Me Please! welcome mat.
I agree with everything you said. The defaults are just wrong, it should not have any web server at all with a default password, that's an easy software fix.
So, if I understand correctly, it allows to bypass BIOS password? Are there people relying on those? I may understand it's a bit more secure on a laptop, but on a desktop you just have to remove BIOS battery to reset the password, anyway. Better encrypt disks and rely on OS authentication (plus, it's easier to do for non experts).
EDIT: on second reading, I realize the real problem of the thing is to allow for remote control, provided one can access machine ports.
If you have access to the battery then you have access to the flash chip as well.
Using a right clamp (sop8 usually) you can reflash the thing in a matter of seconds (I did).
Even if you have a BIOS password and everything locked down and the attacker can actually lock you out or quickly give themselves a backdoor. The problem is that there are a million ways in, they're open by default and it is really hard to keep track of everything you have to lock down, and the manufacturers keep adding new ones while you're not looking.
The right way for the manufacturers to set this up is
* Everything locked down by default
* One master password for complete control
* Using the master password you can delegate control for users, technicians, applications etc.
* If you forget the master password you can reset it using a switch or something you cannot access without opening up the machine which you cannot do while it is physically locked
But in reality there's all these management 'solutions' that have to be on by default and then there are the anti theft solutions, the secure boot restrictions, the 'trusted' platform, the list goes on. And then for the master password there's of course a backdoor password the helpdesk people can get if you can convince them the laptop is yours and you just forgot the password.
I suppose "update AMT password defaults" is good, non-obvious advice to spread.
But it does feel a bit rich to describe physical access and a default password as the stuff of a security professional's "worst nightmares". "Physical access means control" has been a standard assumption for years, and this really just constitutes a failure to secure all login channels. It's a particularly silly description when Spectre and Meltdown are busy being actual "worst nightmares" threats.
On almost any machine with MEBx you can just mash the boot options key right after power on and while on a properly locked down machine you won't be able to change the boot order you will be able to select MEBx.
And it is worse than that, you have to have physical access to the machine. If you give a hacker physical access to a machine it's pretty much toast.
Am I missing something or is this just clickbait?