Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday August 11 2018, @10:03PM   Printer-friendly
from the who-watches-your-laptop-when-you-are-in-the-shower? dept.

Submitted via IRC for SoyCow1984

Hacker lore is littered with tales of mysterious attackers breaking into hotels—perhaps at a conference—to get their hands on someone’s laptop with the goal of installing malware on it by physically connecting to the machine. That’s why the more careful hackers never leave their laptops unattended at events, or bring disposable computers with little to nothing valuable on them.

These types of attacks are called evil maid attacks in the infosec world, because the imaginary attacker is someone who has access to your room and malicious intentions. Pwning a laptop via physical access is a true and tested method to hack someone. But there’s no better way to be reminded of how effective and sometimes effortless these attacks can be than an actual demo.

In early July, security firm Eclypsium posted a video showing how Mickey Shkatov, one of its researchers, hacks into a laptop by opening it up, connecting a device directly to the chip that contains the BIOS, and installing malicious firmware on it—all in just over four minutes. That easy. (In some cases hackers don’t even need to open up the laptop).

“Physical attacks are hard to defend against and most people aren’t doing anything to defend against them,” John Loucaides, Eclypsium’s vice president of engineering, told me. “It’s not that hard of a attack to pull of as most people think. It takes less time and less effort than most people realize.”

[...] The good news is that while it’s relatively easy to hack a laptop once you get your hands on it, it’s all the work that is required to get there (monitoring a target to see where they live or are sleeping, breaking into their room, etc) makes these attacks likely rare.

Source: https://motherboard.vice.com/en_us/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday August 12 2018, @01:01AM (13 children)

    by Anonymous Coward on Sunday August 12 2018, @01:01AM (#720393)

    Everyone knows that physical access is game over. You'd have to take extreme measures to defend against an evil maid attack, like encasing the whole mainboard in resin after clipping all external connectors. You'd then probably need to severely undervolt/underclock the machine too to deal with heat. This leaves you with a gimped and impractical laptop, not to mention it will probably be (possibly a lot) heavier.

    So what would you Soylentils recommend for a practical defense? Booby trapping your hotel room?

  • (Score: 4, Insightful) by Azuma Hazuki on Sunday August 12 2018, @01:43AM (7 children)

    by Azuma Hazuki (5086) on Sunday August 12 2018, @01:43AM (#720404) Journal

    Lock it in a safe deposit box or something. As you said, physical access is game over, so make it a chore and a half for said evil maid to get it.

    --
    I am "that girl" your mother warned you about...
    • (Score: 1, Interesting) by Anonymous Coward on Sunday August 12 2018, @04:30AM (6 children)

      by Anonymous Coward on Sunday August 12 2018, @04:30AM (#720459)

      While pondering your idea, I came up with a practical modification of the concept that doesn't involve lugging around a bulky and heavy steel contraption:

      You don't really need to make it impossible to tamper with your machine, you just need to make any tampering immediately apparent. Instead of a steel box, a plastic box will do. My idea is to 3d print a custom clamshell that clips to your laptop, with riveted hinges on one side and a tamper proof lock on the other.

      In order to make any tampering evident, ensure the rivets are not accessible when the shell is closed to prevent drilling them out and replacing them. On the inside of the shell, 3d print a small proof of authenticity in a hard to observe place, like the inside of the hinges. It could also be something tactile, like a sequence of grooves and lands (or hell, a message to yourself in Braille if you want something new and exciting to learn while you're at it) that you touch every time you open the shell.

      The idea is that in order to get to your machine, an attacker either needs to defeat your lock, or bring a perfect copy of your 3d printed clamshell to replace the original after detroying it. A lot hinges on them not learning your proof of authenticity.

      Even more hinges on having a lock that's impossible to defeat without leaving signs of tampering. I'm thinking that mechanical locks are out, because a) bump keys and b) combination locks are weak to watching you enter yours. You could hide your interaction with the lock, but while I'm not sure how difficult it is to "pick" a combination lock with a near-perfect mechanism, I suspect the method used by pr0 safe crackers - a stethoscope to listen for sounds of alignment of the cams in the lock - would also work here.

      So that leaves electronic locks. If your threat model includes state level actors, buying one off the shelf is out. You must expect there being a secret master key that governments get "for the children". Guess that means building your own. Possibly from an Arduino and card reader. Make sure it fails closed if the battery dies. In that case you'll have to destroy and recreate your plastic case but it will prevent defeating the lock by icing the battery.

      I'm tempted to build this. Does anyone see weaknesses in the design that need further refinement?

      • (Score: 1, Insightful) by Anonymous Coward on Sunday August 12 2018, @05:37AM (1 child)

        by Anonymous Coward on Sunday August 12 2018, @05:37AM (#720482)

        Just use a lot of glue. They'll have to cut or pry the thing open. Either they figure that is too much trouble or it is readily apparent.

        • (Score: 0) by Anonymous Coward on Sunday August 12 2018, @07:45PM

          by Anonymous Coward on Sunday August 12 2018, @07:45PM (#720660)

          The plastic shell idea (might just make it a little larger and have some extra room for peripherals like a traditional laptop case) enables you to keep the laptop in pristine condition. You won't lose functionality and you can resell the device in mint condition when you get done with it.

      • (Score: 1, Interesting) by Anonymous Coward on Sunday August 12 2018, @07:48AM (3 children)

        by Anonymous Coward on Sunday August 12 2018, @07:48AM (#720496)

        wrap it in scotch tape, put your signature on the outside.
        take a picture of the result.
        I find it hard to believe anyone, including yourself, could reproduce that.
        in other words, if anyone opens it, it will be obvious it has been opened (and I'm under the impression that's what you're going for).

        on second thought, you may even use an envelope for the purpose.

        • (Score: 2) by looorg on Sunday August 12 2018, @01:11PM (1 child)

          by looorg (578) on Sunday August 12 2018, @01:11PM (#720536)

          If it's a long stay you might have to bring a lot of envelopes then if you are going to take it in and out, so you probably have to bring a stash of them and the "evil maid" could probably find those. Unless you instead of carrying around your laptop at all times just carry around a large stack of giant envelopes.

          As the other AC said. If you are so scared of this, just superglue everything shut. Glue the two main frames together, glue every port you never use etc. It might also be possibly to just replace all the nuts and bolts with non-standard nuts and bolts, so as they require a special screwdriver to open. If you are so inclined make your own bolts and tool that is unique. You could fill the important parts of your laptop with epoxy, like they used to do back in ye-olden days. It would increase the weight of your laptop and it might lead to heat issues.

          The drawback to all this is that if you for one reason or another do need to get into the machine yourself you are in for a lot of pain and work and it might be better to just replace the entire machine.

          I'm sure their solutions to all these things will just be to find some way of doing it all without taking the machine apart. After all if someone walks in on them with an unassembled laptop on the desk infront of them there is no plausible deniability anymore. You are just busted.

          • (Score: 0) by Anonymous Coward on Sunday August 12 2018, @07:58PM

            by Anonymous Coward on Sunday August 12 2018, @07:58PM (#720666)

            I'd suspect that Will E. McCracker, a pretty intelligent guy and for this reason using at least a double safety net of Tor/VPN to mitigate the risk of being caught doing his evil blackhat stuff online, will be extra careful when exposing himself in meatspace. He'll have worked out the perfect time to get some guaranteed alone time with the machine. If he's extra paranoid, he might be working with an accomplice to watch and in case of an unforeseen early return, delay and distract the mark.

            And if it's Bob The Spook who's running the show he'll likely be extremely efficient, with a highly optimized set of tools and exploits. He might use some hush-hush government backdoors *cough*Management Engine*cough* and be in and out the door before you can retie your shoes. With a full surveillance team providing cover from bad surprises.

        • (Score: 0) by Anonymous Coward on Sunday August 12 2018, @02:54PM

          by Anonymous Coward on Sunday August 12 2018, @02:54PM (#720561)

          Unless you have a photographic memory and the mental capacity to overlay your memorized image over your present view of the so-wrapped machine for detailed comparison, it would be possible to copy convincingly enough with some manual dexterity. This defeats the purpose of being able to immediately tell whether foul play is happening.

          An envelope is a commonly available item, procuring one exactly alike to swap out for the original torn one is hardly a challenge.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday August 12 2018, @01:50AM

    by Anonymous Coward on Sunday August 12 2018, @01:50AM (#720412)

    Glue, lots of glue.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday August 12 2018, @01:57AM (1 child)

    by Anonymous Coward on Sunday August 12 2018, @01:57AM (#720418)

    How about disguising the real board? Have a fake board and real board (hidden somehow, maybe by putting it behind the screen in a laptop or disguised as a harddrive?), with a non-obvious switch to set the decoy to active when you are not physically present. You would definitely have to sacrifice computing power, but you should be able to have something useable.

    • (Score: 0) by Anonymous Coward on Sunday August 12 2018, @03:10AM

      by Anonymous Coward on Sunday August 12 2018, @03:10AM (#720442)

      This is not a bad idea, even though it's just security by obscurity. A determined and competent attacker (threat model: state-level actor or major league corporate espionage) will put you under intense surveillance prior to making a move on your gear, you'll need to make sure you can never be observed manipulating said switch.

      There are other unsolved problems with your solution:

      Once an attacker targeting you specifically has pwned your decoy, they will expect to exfiltrate some useful information. You will not only need to carefully craft believable chaff data already on the machine, you also need a way to simulate real time user interaction in case their trojan includes realtime desktop shadowing. If you consider that an attacker who breaks into your quarters might also leave hidden cameras, you need to boot and shutdown the decoy at the same time the real machine is booted, make sure to fake the boot screens expected from your decoy hardware, and then play back interaction patterns believably matching your interaction with the real machine.

      Another problem is that this concept could mitigate information exfiltration from your machine, but not infiltration. If the goal is to slip some kiddie porn on your harddrive and then call the cops on you, you'd still be fucked.

      I have another idea though: booby trap your case with a "case open" switch rigged to some means of immediately alerting you, like a small SoC with GSM modem set up to text you.

  • (Score: 2) by takyon on Sunday August 12 2018, @02:42AM (1 child)

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Sunday August 12 2018, @02:42AM (#720436) Journal

    1. Don't use a computer.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2) by maxwell demon on Sunday August 12 2018, @07:38AM

      by maxwell demon (1608) on Sunday August 12 2018, @07:38AM (#720493) Journal

      2. Don't use a computer for the security-relevant stuff. If all the attacker gains is a look at your gaming scores, not much damage has been done.

      --
      The Tao of math: The numbers you can count are not the real numbers.