Uncategorized

DoNotDisturb: now with email support (and YONTMA)

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

someone has created some more Mac-centric Evil Maid detection code:

https://github.com/ptrckhbr/scripts/blob/master/applescript/DND.scpt

I wish someone would collect all the various FW/OS-centric ways to check for Evil Maids, and write a tool that covers all of them. Here’re some other ways, via You’ll Never Take Me Alive (YONTMA) from iSEC Partners (now NCC Group):

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2013/march/yontma-youll-never-take-me-alive/
https://github.com/iSECPartners/yontma
https://github.com/iSECPartners/yontma-mac

 

Standard
Uncategorized

Detecting Evil Maid attacks with PowerShell

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

the above solution was a Mac-centric solution. Here’s a Microsoft-centric solution, using Powershell:

https://pastebin.com/hAEHibHf

Grab this version before the Visual Studio or Azure teams ties the code to their products. 🙂

Standard
Uncategorized

DoNotDisturb: Detect Evil Maid Attacks

https://github.com/objective-see/DoNotDisturb

https://objective-see.com/products/dnd.html

Standard
Uncategorized

Qubes: Anti Evil Maid (AEM): improved TPM support

Anti Evil Maid is an implementation of a TPM-based dynamic (Intel TXT) trusted boot for dracut/initramfs-based OSes (Fedora, Qubes, etc.) with a primary goal to prevent Evil Maid attacks. In short, AEM relies on TPM and a feature found in Intel’s vPro CPUs (TXT) to detect tampering of various boot components.

Even if you don’t use Qubes, this is a good read:

[…]To recap — you need to fully trust:
* CPU (Intel, since we’re depending on TXT)
   + sometimes over-optimizes for performance at the cost of security, see eg. Meltdown/Spectre, cache attacks against SGX enclaves, …
* TPM (various vendors)
   + few known attacks sniffing and injecting commands on the LPC bus; differential power analysis; buggy RSA key generation code
   + note that any potential TPM exploits (should) have no means of compromising your system directly — a TPM under attacker’s control can only be used to hide the fact that a compromise has occurred (ie. defeating the whole AEM feature)
* BIOS (a few vendors)
   + it’s full of holes!
* that the attacker cannot get physically inside your laptop without you noticing (see the glitter hint above)
[…]

https://github.com/QubesOS/qubes-antievilmaid/commit/da6c1bacfe5f8864e08efcf7903f9867d40629b3
https://github.com/QubesOS/qubes-antievilmaid
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

 

Standard
Uncategorized

Hack.lu 2017 Intel AMT: Using & Abusing the Ghost in the Machine by Parth Shukla

 

Standard
Uncategorized

USB attack to Mazda cars: Bad Valet attack

“Bad Valet is the new Evil Maid” –Joanna Rutkowska

 

“A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made.”

https://github.com/shipcod3/mazda_getInfo

 

Standard