| > Physical access is just such a rich attack surface that keeping your computer away from malicious actors is the right and proper solution. Keeping attackers away from your computer is certainly the best solution, just as keeping your computer off the network is the simplest answer to avoiding network security issues. But that's not always an option, so we still need to care about it. > An extreme example a pentester imparted to me once was, if someone could spend sufficient time alone with my laptop, they could remove my hard drive and insert it into an identical laptop with a hardware or firmware backdoor preinstalled. That'll be detected with any properly implemented remote attestation solution (switching the machine will change the endorsement key, so attestation will fail) > If a computer is booted and the drive is decrypted, an attacker with physical access could open the computer, remove the RAM, and download it's contents, thereby stealing the encryption key. Removing soldered-on RAM from a motherboard fast enough to maintain the contents is not a straightforward attack. Not theoretically impossible, but you're not going to have a good time of it. > If the computer is powered down, it's still vulnerable to other attacks; enrypted drives necessarily have cleartext code for accepting the password & decrypting the drive. You could modify this code to log the decryption key, or broadcast it over your device's radios. Will be detected via remote attestation. > There's also the classic Windows "sticky key" exploit, where you replace the sticky key binary with a program that gives you administrator access, reboot the computer, and then activate sticky keys. How do you do that with an encrypted drive? Look, yes, it's not easy to guard against physical attacks. But some organisations that genuinely do have to deal with state level attackers care about physical security and care about mitigating it, and we have moved well beyond the "physical access means you've lost" state of affairs. Finding new cases that allow attackers with physical access to subvert our understanding of the security boundaries of a machine is of significant interest. |