[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Pentium III serial numbers hacked
Pentium III serial numbers hacked
On Monday, c't, a German technology magazine, revealed that it had
found a way to read the serial number of Intel's new Pentium III chip
without the owner's knowledge or consent.
Ever since privacy advocates raised an alarm about the new chips'
serial numbers, which can be read by Web sites, Intel has assured the
public that Pentium III owners would be able to use a software tool to
turn the feature off and on and protect their privacy.
But c't's chip specialist, Andreas Stiller, found a way around Intel's
safeguard. Stiller loaded an Active X "Trojan horse" (a disguised,
malicious security breaking program) onto a remote PC over the
Internet. He then circumvented Intel's software tool by abusing a
feature called Advanced Configuration and Power Interface (ACPI) -- a
power-conservation standard created by Intel, Compaq and Microsoft.
"I switched the computer into 'Deep Sleep' mode, and rebooted the
machine, then read the serial number before Intel's software tool was
started," says Stiller.
The problem, it seems, is that the processor's serial number is in the
"on" position by default; it's only Intel's software that blocks the
number. Seth Walker, a spokesman for Intel, responds: "Don't think of
it that way. The number is just there, it's not 'on.'"
In fairness to Intel, if someone manages to load a "Trojan horse" on
your computer, then access to the chip's serial number is probably the
least of your worries. Still, the report won't make Intel's job any
easier as it tries to dispel fears and reassure PC users that their
personal information is safe from prying eyes.
What can users do to protect their privacy? Intel is not just
providing the software tool but also advising computer manufacturers
to switch the serial number off in the BIOS (the first software
instructions a computer loads when it boots up). The proud owners of
new Pentium III PCs can then enable the serial number function using a
custom piece of software from the manufacturer. But not all
manufacturers will disable the serial number in BIOS, and once enabled
it will be very difficult to turn off. Finally, Intel's Walker says,
"We also advise users to choose carefully which Web sites they spend
their time on." When it comes to privacy, it sounds like Intel's
stance is "caveat surfer."
The company has vowed that it will not be keeping a database of the
serial numbers -- although Intel vice president Mike Aymar admits that
"we may be able to tell approximately when and therefore to whom the
processor was sold."
So why did Intel introduce the serial number in the first place? To
help corporations track and manage their PC inventory, and to provide
another level of security for online banking and e-commerce
applications. Banks will be able to use the serial number, together
with user names and passwords, to verify an individual's identity.
Privacy groups such as the Electronic Privacy Information Center
believe that the U.S. government had a hand in Intel's decision.
"We have repeatedly asked Intel if the NSA or the FBI requested them
to include the serial number," says Dave Banisar, policy director for
EPIC. "Their only response is that their largest customers have
requested the serial number."
Of course, Banisar points out, the U.S. government is one of Intel's
largest customers. -- Niall McKay