[mjg59]

> As a general rule, anyone with physical access to your machine already owns it.

People frequently say this, but never really explain it. As far as I can tell, it translates to "Nobody cares about physical security" - except it's clear that people /do/. Things like Boot Guard are only really relevant to physical attacks. DMA protection in firmware is only really relevant to physical attacks. It's extremely obvious that the industry is attempting to avoid short term physical access to a device being sufficient to compromise it, and research that demonstrates that it's still possible is valuable.

[AnthonyMouse]

> DMA protection in firmware is only really relevant to physical attacks.

That's a different kind of attack than what people usually mean by "physical access" though. The thing where they drop a bunch of malicious flash drives in the parking lot or put a malicious USB charger in an airport isn't the same thing as the attacker having unsupervised physical access to the machine, and the former is certainly worth defending against even if the latter is hopeless.

> Things like Boot Guard are only really relevant to physical attacks.

One could argue that they are also relevant to purposely locking the device owner into specific operating systems.

As an example of "physical access and you're screwed," one way to compromise a machine is to install a microphone anywhere near the machine and then wait for the user to type their passphrase. It's possible to deduce what keys are being pressed from the sounds they make and the timing, so now the attacker has your passphrase. The same can be done with covert video surveillance.

Another possibility is to measure electromagnetic emissions to much the same effect. Most computer keyboards are not exactly TEMPEST certified and even if they were, someone with physical access could make adverse modifications.

Protecting a machine against unsophisticated attackers is pretty easy, to the point that the likes of Boot Guard are not even required, but protecting a machine against physical access by a sophisticated attacker is pretty hopeless.

[maxbond]

Physical access is just such a rich attack surface that keeping your computer away from malicious actors is the right and proper solution.

An extreme example a pentester imparted to me once was, if someone could spend sufficient time alone with my laptop, they could remove my hard drive and insert it into an identical laptop with a hardware or firmware backdoor preinstalled. We were discussing nation-state adversaries, but the general principle applies.

Another example is attacks on encrypted drives (so-called "evil maid" attacks). If a computer is booted and the drive is decrypted, an attacker with physical access could open the computer, remove the RAM, and download it's contents, thereby stealing the encryption key. If the computer is powered down, it's still vulnerable to other attacks; enrypted drives necessarily have cleartext code for accepting the password & decrypting the drive. You could modify this code to log the decryption key, or broadcast it over your device's radios.

There's also the classic Windows "sticky key" exploit, where you replace the sticky key binary with a program that gives you administrator access, reboot the computer, and then activate sticky keys.

You could install a keystroke logger. You could install a device to record monitor output. You could log network traffic.

I've yet to find a kiosk environment that I couldn't break out of. Once I was able to break out of a scanning kiosk environment, and into a Windows desktop, by turning the quality settings all the way up and crashing the kiosk. That was one of the more difficult examples; most of the time all you need is to find a way to right-click. (I had the proper authority to investigate these kiosks.)

The point is that the list goes on.

It is true, as you say, that there has been progress in implementing mitigations, and that there are people who care deeply about these issues. A counterexample might be SIM cards, TPMs, and other HSMs. These systems are able to provide better guarantees by encapsulating their peripherals and being willing to self destruct. But that could describe a cell phone, tablet a laptop, too.

Maybe in the future this "law" won't be so hard and fast.

[mjg59]

> Physical access is just such a rich attack surface that keeping your computer away from malicious actors is the right and proper solution.

Keeping attackers away from your computer is certainly the best solution, just as keeping your computer off the network is the simplest answer to avoiding network security issues. But that's not always an option, so we still need to care about it.

> An extreme example a pentester imparted to me once was, if someone could spend sufficient time alone with my laptop, they could remove my hard drive and insert it into an identical laptop with a hardware or firmware backdoor preinstalled.

That'll be detected with any properly implemented remote attestation solution (switching the machine will change the endorsement key, so attestation will fail)

> If a computer is booted and the drive is decrypted, an attacker with physical access could open the computer, remove the RAM, and download it's contents, thereby stealing the encryption key.

Removing soldered-on RAM from a motherboard fast enough to maintain the contents is not a straightforward attack. Not theoretically impossible, but you're not going to have a good time of it.

> If the computer is powered down, it's still vulnerable to other attacks; enrypted drives necessarily have cleartext code for accepting the password & decrypting the drive. You could modify this code to log the decryption key, or broadcast it over your device's radios.

Will be detected via remote attestation.

> There's also the classic Windows "sticky key" exploit, where you replace the sticky key binary with a program that gives you administrator access, reboot the computer, and then activate sticky keys.

How do you do that with an encrypted drive? Look, yes, it's not easy to guard against physical attacks. But some organisations that genuinely do have to deal with state level attackers care about physical security and care about mitigating it, and we have moved well beyond the "physical access means you've lost" state of affairs. Finding new cases that allow attackers with physical access to subvert our understanding of the security boundaries of a machine is of significant interest.

[maxbond]

You raise some interesting points, and have force me to question my assumptions that this is simply a lost cause.

[ryan-c]

> they could remove my hard drive and insert it into an identical laptop

Does that make having a layer of stickers on one's laptop also a layer of defense?

[AnthonyMouse]

Stickers are an inconvenience, especially when applied over a screw hole required for disassembly or similar, but it's not exactly cryptographically secure. What stops the attacker from buying the same sticker as you, or taking a good picture of it before destroying it and printing a new one off?

[mjg59]

An example is using glitter-containing nail polish to cover the screws, taking a high resolution picture and then having an app that checks whether the glitter particles are still in the same position. There are companies selling solutions along these lines.

[AnthonyMouse]

I guess at that point you're basically asking whether it's possible to make higher resolution printers than cameras, but considering you can in principle do printing using lithography similar to what they use to make semiconductors, that's probably going to win over the average phone camera. Although you're obviously then talking about a much more sophisticated attack.

[mjg59]

It's not just a matter of printing, it's a matter of placement. If you can carry equipment of that calibre into a hotel room and do the swap then that'll defeat things, but it's not clear that that's realistic.

[znpy]

First things first: lol.

After that: at this point it's easier to pay a random person to follow you and steal your whole bag/backpack and wallet and make it look like the usual theft.

Or just break into your house/office or whatever.

[pvg]

You lol but a similar scheme was used for nuclear weapons treaty compliance verification (search for 'epoxy'):

https://www.washingtonpost.com/archive/politics/1988/03/21/a...

[mjg59]

The point is that even having physical possession of the system shouldn't be enough to get anything useful out of it.

[pella]

cheap tamper protection:

https://mullvad.net/en/help/how-tamper-protect-laptop/

- "Then we paint the border of the sticker with glittery polish. It's important with the glitter because the outcome will always be unique."

- "After the polish has dried, we take a high-resolution photo of each area."

[ryan-c]

I think you may have missed that my comment was primarilly a terrible pun.

[tinus_hn]

Not that it is physically secure, but if your disk is encrypted using a key in the TPM chip you can’t just put it in another computer, it won’t boot.

If you have that kind of access it doesn’t really matter though because you can copy the drive, then add a device that monitors the keyboard so you get the key when the user enters it and then you can just clear or disable the TPM chip.

[zinodaur]

An example: Macbook chargers these days have charge ports that are also used for USB devices. This means that if a user plugs in a compromised "charger", it can set its own HID type (and pretend it is a keyboard or a mouse), open a terminal and start typing malware into the computer.

All of this is a bit silly though, because physical intervention implies a level of commitment that lends itself to more reliable approaches: https://xkcd.com/538/

[mjg59]

And a thing you can do for machines that have built-in keyboards is refuse to enable new HID devices until the user provides affirmative consent. The people who have reason to care about these attacks have defenses, and research that demonstrates those defenses are incomplete is useful research.

[zinodaur]

Yeah thats a good point - I personally have the bad habit of clicking "yes" to that dialogue whenever I see it, since it does sometimes spuriously appear. I certainly wouldn't attempt a teardown of all of the equipment currently plugged into my machine when I saw a message like that. Do you know if HIDs can impersonate other HIDs? E.g., if you attached a dongle to a usb keyboard, could that dongle claim the identity of the keyboard and thereby avoid the prompt?

My favorite "security interface failure" is the fact that OSX apps frequently demand a user login and password in a popup window. E.g., Slack does this. It would be so easy for an app render this popup (even on a webpage!) and I would totally type my password into it. I feel like the only answer to this is to have a sacred corner of the screen that only the OS is allowed to write to

[erik_seaberg]

This is why NT had a "secure attention key" (ctrl-alt-del) that couldn't be intercepted by an app that might try to display a fake login screen.

[munchbunny]

It's not that nobody cares about physical security, it's that physical access opens up entire classes of attacks that aren't possible otherwise, like physical keyloggers and bridging airgaps.

If you follow defense in depth as a security architecture philosophy, which the industry does, then you still implement defenses against physical attacks, but you recognize that those defenses are either (1) defenses against opportunists, or (2) last ditch defenses.

[Spooky23]

There are huge swaths of people who don’t think about physical security at all.

But many do and it’s a difficult problem that impacts the efficiency of the business. I’ve had to deal with it often and end of the day, you need to keep important data off of mobile or other client devices, and have controlled workarounds for exceptions.

Some of the tougher compliance standards recognize this and essentially prohibit many types of remote access without the entity owning the remote computer.

[excalibur]

The point of the saying is that, try as we might to secure the devices, they can be compromised by someone with physical access (and the right knowledge and tools) in essentially all cases. It is not meant to discourage you from using the best security measures available ON the device, but rather to point out that the only way to truly have physical security is to maintain control OF the device.

[ashtonkem]

These are mitigations, they’re designed to slow down an attack by someone who has physical access to the machine. In many ways they’re a bit like a finely designed padlock; none are ever going to stop a skilled lock pick, but they can slow them down enough to make an attach impractical.