Follow

More good news from Intel

press.f-secure.com/2018/01/12/

“In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

“The essence of the security issue is that setting a BIOS password, which normally prevents an unauthorized user from booting up the device or making low-level changes to it, does not prevent unauthorized access to the AMT BIOS extension.“

Convenience is starting to look like a bad idea

@LottieVixen It’s like the VW mess, but with computers

I don’t understand how something this obvious could have slipped through without someone knowing or saying something

@cypnk Now we have to hope that doing that is adequate to defang the problems. It should. But then, we shouldn't have any of these problems to start with...

@kurtm That's true. But I don't take anything for granted anymore. I can't read the BIOS firmware so I have no idea what voodoo is taking place behind these screens

This is probably a placebo in some ways since "off" doesn't seem to mean that in some cases

@cypnk @kurtm You really ought to try coreboot. It took me about a day to get it up and running, but it's worth the time and effort.

@mkern @kurtm I have on my own laptops, but unfortunately these Thinkpads aren't compatible as far as I know and I don't have permission to test on them

@mkern @cypnk I keep thinking about it. Generally when I check my model either just flat-out isn't supported, or has some serious gaps in coverage that make me nervous.

@kurtm @cypnk I can recommend x220. After you change the wifi module you can get an almost 100% free (excluding IME) laptop which works perfectly well despite the fact it's from 2012.

@cypnk BIOS passwords were never the right way to provide security though, right? You could always pull out the hard drive and read from the disk without encryption

@cwebber The issue isn't just that though. AMT is part of the remote management utility for systems already deployed in the field

@cypnk Does this affect remote management as well? (IMO AMT is very untrustworthy partly because of its combination of proprietaryness and remote managementness)

@cwebber Yes, but AMT is still widely deployed. The issue (according to the article) is that TPM can be bypassed easily, which means any intruder can inject traffic into or out of any system with AMT enabled

Encryption won't really help here since the system starts pre-boot. So that's a handy backdoor to intercept your keys too

It's a huge mess!

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!