The hijacking flaw that lurked in Intel chips is worse than anyone thought

4 Antworten [Letzter Beitrag]
Legimet
Offline
Beigetreten: 12/10/2013
Legimet
Offline
Beigetreten: 12/10/2013

This affects vPro/AMT, specifically.

Soon.to.be.Free
Offline
Beigetreten: 07/03/2016

Even for proprietary software, this seems incredible. Correct if I'm wrong, but- has it taken 7 years for it to emerge that the authentication feature did absolutely nothing AT ALL (except for checking that two 32-bit hashes were the same length)? Even if I'm certain the i5 laptop on which this post is written doesn't have AMT or vPro, that kind of oversight (at best) suggests any trust I had in it was entirely misplaced...

Whoever quipped that the infamous "Intel Inside" stickers reminded them of the "Smoking Kills" ones was perfectly correct, and may very well find their simile reified soon.

danish
Offline
Beigetreten: 02/19/2017

"except for checking that two 32-bit hashes were the same length"
Not quite. It only checks the entered password against the stored password but checking length is what it didn't do. The result is, if I enter a password of one character it checks that character against the first character of the stored password, essentially. This means, without any altering of the login at all you can just type through the alphabet until it grants access. People have been talking about how the ME system is a terrible security concept for years but they didn't care, and they won't start now. I read one guy said they likely leaked this as an excuse to disable the new ME remover technique with an "update."

Soon.to.be.Free
Offline
Beigetreten: 07/03/2016

Thank you for clarifying that- it makes it much clearer why nobody picked it up for so long (although what convinced them to use the said comparison function is still beyond comprehension...).

As for your point in regards to caring, you're unfortunately probably right. The most mainstream news source I've seen carry this was Slashdot, and even then I suspect many readers probably aren't greatly moved by this revelation (disclaimer: I do have a ME-enabled device presently, so perhaps that's hypocritical to say). Perhaps it's a little too much to propose there were malicious motives behind it, but it can't be ruled out...