SoylentNews

MrPlow writes:

Submitted via IRC for SoyCow1984

Hacker lore is littered with tales of mysterious attackers breaking into hotels—perhaps at a conference—to get their hands on someone’s laptop with the goal of installing malware on it by physically connecting to the machine. That’s why the more careful hackers never leave their laptops unattended at events, or bring disposable computers with little to nothing valuable on them.

These types of attacks are called evil maid attacks in the infosec world, because the imaginary attacker is someone who has access to your room and malicious intentions. Pwning a laptop via physical access is a true and tested method to hack someone. But there’s no better way to be reminded of how effective and sometimes effortless these attacks can be than an actual demo.

In early July, security firm Eclypsium posted a video showing how Mickey Shkatov, one of its researchers, hacks into a laptop by opening it up, connecting a device directly to the chip that contains the BIOS, and installing malicious firmware on it—all in just over four minutes. That easy. (In some cases hackers don’t even need to open up the laptop).

“Physical attacks are hard to defend against and most people aren’t doing anything to defend against them,” John Loucaides, Eclypsium’s vice president of engineering, told me. “It’s not that hard of a attack to pull of as most people think. It takes less time and less effort than most people realize.”

[...] The good news is that while it’s relatively easy to hack a laptop once you get your hands on it, it’s all the work that is required to get there (monitoring a target to see where they live or are sleeping, breaking into their room, etc) makes these attacks likely rare.

Source: https://motherboard.vice.com/en_us/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes

Original Submission