[rhubarbtse]

It's about enabling a backdoor of sorts in your laptop behind your back.

Let's say you're at a hotel with your laptop. It has full device encryption enabled and the BIOS is protected with a password and it has all the shebangs to protect your laptop -- so you should be safe, right?

Someone distracts you for 30 seconds while an accomplice backdoors your laptop with this vulnerability.

Five minutes later while you're happily browsing Hacker News with your laptop using the hotel WIFI, the attacker has full and unrestricted access to your laptop via the very same hotel WIFI.

[adtac]

The number zero rule in security is that if a malicious adversary has physical access to your device, all bets are off.

[organsnyder]

The number negative-one rule in security is defense-in-depth. Even when you have a layer where a breach is considered catastrophic (physical access, behind the firewall...), you still add whatever measures you can to mitigate the potential impact.

[mkagenius]

So, no use of Apple/Chrome asking for system passwords to see other saved passwords?

[adtac]

That's to prevent your average Joe from swiping your password.

[luckydude]

What adtac said. If I let someone have physical access to any computer I own I fully expect to be compromised.

And here the issue is, as I understand it, I would have had to have left that AMT part in place with a default password. I get that it is geeky and maybe there should be a process where when you buy a new laptop they set the password to some unique thing and give you a sticky note with the password on it. I get that a lot of people won't know to change the management password, but that's an educational issue, just like people had to be taught to not use "1234" or "admin" as their login password.

Still seems like an over hyped issue but I guess that is part of the educational process.

I don't feel like this rises to the level of Meltdown or Spectre.

[cjcampbell]

I understand your sentiment, but I would argue that this is a flaw. Vendors need to account for users' ability to notice and assess these sorts of details. While it's true that most/all defenses eventually fail to a determined attacker with unrestricted physical access, most users wouldn't suspect it'd be so easy for someone to orchestrate the attack in their presence without attracting notice.

Leaving AMT enabled with a default local password when it hasn't been explicitly provisioned is an oversight by the system manufacturers. Expecting users (particularly outside the enterprise environment) to discover the necessary security precautions (without any notable cues) is a problem.

Education may be a short-term solution, but it's no substitute for repairing the user experience, e.g., by disabling unused AMT features (and preventing them from being reenabled without authenticated access to a pre-boot or other system management environment). Save AMT security for the subset of system owners that need to take advantage of the feature.

[luckydude]

As I said elsewhere, I agree, the web server shouldn't be enabled with a default password.

[gruez]

>If I let someone have physical access to any computer I own I fully expect to be compromised.

What about if you're sleeping?

[luckydude]

I've got 4 dogs and live in a rural area. You'd have to be bat shit crazy to want to mess with my stuff.

That said, it's a silly argument. If you don't secure your devices then you're gonna have a bad time. Just a fact of life, it's always been that way. Give a hacker physical access to a box and enough time and they are getting in. I do it routinely if I forgot a root password, boot knoppix, fix the root password on the boot disk, reboot.

[chrischen]

Why even have full disk encryption then?

[tedunangst]

If I turn around for 30 seconds and my laptop has rebooted, I might wonder why.