Hacker News new | ask | show | jobs
by maxbond 2234 days ago
Physical access is just such a rich attack surface that keeping your computer away from malicious actors is the right and proper solution.

An extreme example a pentester imparted to me once was, if someone could spend sufficient time alone with my laptop, they could remove my hard drive and insert it into an identical laptop with a hardware or firmware backdoor preinstalled. We were discussing nation-state adversaries, but the general principle applies.

Another example is attacks on encrypted drives (so-called "evil maid" attacks). If a computer is booted and the drive is decrypted, an attacker with physical access could open the computer, remove the RAM, and download it's contents, thereby stealing the encryption key. If the computer is powered down, it's still vulnerable to other attacks; enrypted drives necessarily have cleartext code for accepting the password & decrypting the drive. You could modify this code to log the decryption key, or broadcast it over your device's radios.

There's also the classic Windows "sticky key" exploit, where you replace the sticky key binary with a program that gives you administrator access, reboot the computer, and then activate sticky keys.

You could install a keystroke logger. You could install a device to record monitor output. You could log network traffic.

I've yet to find a kiosk environment that I couldn't break out of. Once I was able to break out of a scanning kiosk environment, and into a Windows desktop, by turning the quality settings all the way up and crashing the kiosk. That was one of the more difficult examples; most of the time all you need is to find a way to right-click. (I had the proper authority to investigate these kiosks.)

The point is that the list goes on.

It is true, as you say, that there has been progress in implementing mitigations, and that there are people who care deeply about these issues. A counterexample might be SIM cards, TPMs, and other HSMs. These systems are able to provide better guarantees by encapsulating their peripherals and being willing to self destruct. But that could describe a cell phone, tablet a laptop, too.

Maybe in the future this "law" won't be so hard and fast.
3 comments
mjg59 2234 days ago
> Physical access is just such a rich attack surface that keeping your computer away from malicious actors is the right and proper solution.

Keeping attackers away from your computer is certainly the best solution, just as keeping your computer off the network is the simplest answer to avoiding network security issues. But that's not always an option, so we still need to care about it.

> An extreme example a pentester imparted to me once was, if someone could spend sufficient time alone with my laptop, they could remove my hard drive and insert it into an identical laptop with a hardware or firmware backdoor preinstalled.

That'll be detected with any properly implemented remote attestation solution (switching the machine will change the endorsement key, so attestation will fail)

> If a computer is booted and the drive is decrypted, an attacker with physical access could open the computer, remove the RAM, and download it's contents, thereby stealing the encryption key.

Removing soldered-on RAM from a motherboard fast enough to maintain the contents is not a straightforward attack. Not theoretically impossible, but you're not going to have a good time of it.

> If the computer is powered down, it's still vulnerable to other attacks; enrypted drives necessarily have cleartext code for accepting the password & decrypting the drive. You could modify this code to log the decryption key, or broadcast it over your device's radios.

Will be detected via remote attestation.

> There's also the classic Windows "sticky key" exploit, where you replace the sticky key binary with a program that gives you administrator access, reboot the computer, and then activate sticky keys.

How do you do that with an encrypted drive? Look, yes, it's not easy to guard against physical attacks. But some organisations that genuinely do have to deal with state level attackers care about physical security and care about mitigating it, and we have moved well beyond the "physical access means you've lost" state of affairs. Finding new cases that allow attackers with physical access to subvert our understanding of the security boundaries of a machine is of significant interest.

link
maxbond 2233 days ago
You raise some interesting points, and have force me to question my assumptions that this is simply a lost cause.
link
ryan-c 2234 days ago
> they could remove my hard drive and insert it into an identical laptop

Does that make having a layer of stickers on one's laptop also a layer of defense?

link
AnthonyMouse 2234 days ago
Stickers are an inconvenience, especially when applied over a screw hole required for disassembly or similar, but it's not exactly cryptographically secure. What stops the attacker from buying the same sticker as you, or taking a good picture of it before destroying it and printing a new one off?
link
mjg59 2234 days ago
An example is using glitter-containing nail polish to cover the screws, taking a high resolution picture and then having an app that checks whether the glitter particles are still in the same position. There are companies selling solutions along these lines.
link
AnthonyMouse 2234 days ago
I guess at that point you're basically asking whether it's possible to make higher resolution printers than cameras, but considering you can in principle do printing using lithography similar to what they use to make semiconductors, that's probably going to win over the average phone camera. Although you're obviously then talking about a much more sophisticated attack.
link
mjg59 2234 days ago
It's not just a matter of printing, it's a matter of placement. If you can carry equipment of that calibre into a hotel room and do the swap then that'll defeat things, but it's not clear that that's realistic.
link
AnthonyMouse 2234 days ago
You wouldn't necessary need it to be in the hotel room. You sneak in, take a picture, have the lab down the street reproduce it, come back in a half hour and make the swap.

That's also assuming you would actually need that level of sophistication. It's plausible that there is a level of printing technology somewhere between "crappy inkjet" and "semiconductor fab clean room" that could still fool a phone camera.

There is also the possibility of accessing the inside of the machine without tearing the sticker. You think they're going to disassemble it by removing the screws, but they actually disassemble it by slicing off a section of the case with a sharp blade and then epoxying it back together. Or make their modifications through the cooling vents.

And that's really the other problem too. If you don't know how they're going to do it, you don't know what to look for to detect that they did. Your sticker is intact so you're safe, right? Right?

link
znpy 2234 days ago
First things first: lol.

After that: at this point it's easier to pay a random person to follow you and steal your whole bag/backpack and wallet and make it look like the usual theft.

Or just break into your house/office or whatever.

link
pvg 2234 days ago
You lol but a similar scheme was used for nuclear weapons treaty compliance verification (search for 'epoxy'):

https://www.washingtonpost.com/archive/politics/1988/03/21/a...

link
mjg59 2234 days ago
The point is that even having physical possession of the system shouldn't be enough to get anything useful out of it.
link
tptacek 2234 days ago
Our phones are just small computers, and the notion that the FBI can get things out of them given permanent custody is national news. It's weird that people think this isn't really one of the battle lines in computer security.
link
pella 2234 days ago
cheap tamper protection:

https://mullvad.net/en/help/how-tamper-protect-laptop/

- "Then we paint the border of the sticker with glittery polish. It's important with the glitter because the outcome will always be unique."

- "After the polish has dried, we take a high-resolution photo of each area."

link
ryan-c 2230 days ago
I think you may have missed that my comment was primarilly a terrible pun.
link
tinus_hn 2234 days ago
Not that it is physically secure, but if your disk is encrypted using a key in the TPM chip you can’t just put it in another computer, it won’t boot.

If you have that kind of access it doesn’t really matter though because you can copy the drive, then add a device that monitors the keyboard so you get the key when the user enters it and then you can just clear or disable the TPM chip.

link