Uncategorized

Qubes: Anti Evil Maid (AEM): improved TPM support

Anti Evil Maid is an implementation of a TPM-based dynamic (Intel TXT) trusted boot for dracut/initramfs-based OSes (Fedora, Qubes, etc.) with a primary goal to prevent Evil Maid attacks. In short, AEM relies on TPM and a feature found in Intel’s vPro CPUs (TXT) to detect tampering of various boot components.

Even if you don’t use Qubes, this is a good read:

[…]To recap — you need to fully trust:
* CPU (Intel, since we’re depending on TXT)
   + sometimes over-optimizes for performance at the cost of security, see eg. Meltdown/Spectre, cache attacks against SGX enclaves, …
* TPM (various vendors)
   + few known attacks sniffing and injecting commands on the LPC bus; differential power analysis; buggy RSA key generation code
   + note that any potential TPM exploits (should) have no means of compromising your system directly — a TPM under attacker’s control can only be used to hide the fact that a compromise has occurred (ie. defeating the whole AEM feature)
* BIOS (a few vendors)
   + it’s full of holes!
* that the attacker cannot get physically inside your laptop without you noticing (see the glitter hint above)
[…]

https://github.com/QubesOS/qubes-antievilmaid/commit/da6c1bacfe5f8864e08efcf7903f9867d40629b3
https://github.com/QubesOS/qubes-antievilmaid
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

 

Standard
Uncategorized

Hack.lu 2017 Intel AMT: Using & Abusing the Ghost in the Machine by Parth Shukla

 

Standard
Uncategorized

USB attack to Mazda cars: Bad Valet attack

“Bad Valet is the new Evil Maid” –Joanna Rutkowska

 

“A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made.”

https://github.com/shipcod3/mazda_getInfo

 

Standard
Uncategorized

airline industry and device physical security

Welcome to Travel 2.0, where all devices are now required to go through a potential Evil Maid Attack by the TSA equivalent of government of each travel you visit, starting with the US. 😦

http://gizmodo.com/the-us-may-have-banned-electronics-on-middle-eastern-fl-1793457809

http://onemileatatime.boardingarea.com/2017/03/20/airplane-electronics-ban/

http://www.usatoday.com/story/travel/flights/todayinthesky/2017/03/20/airline-electronic-devices-prohibited-cabin/99417832/

http://www.marketwatch.com/story/most-electronic-devices-banned-on-certain-us-flights-from-middle-east-africa-2017-03-20

http://www.reuters.com/article/us-usa-airlines-electronics-idUSKBN16R2JN

 

Standard
Uncategorized

BIOS mod lab at upcoming SecuringHardware.com training

For those who need Evil Maid skills take note: Joe Fitzpatrick has added a BIOS mod lab to his Black Hat training on x86 physical attacks.

Applied Physical Attacks on x86 Systems
Joe FitzPatrick, SecuringHardware.com
July 30-August 2

This course introduces and explores attacks on several different relatively accessible interfaces on x86 systems. Attendees will get hands-on experience implementing and deploying a number of low-cost hardware devices to enable access, privilege, and deception which is in some cases imperceptible from software. The course has several modules: USB, SPI/BIOS, I2C/SMBus, PCIe, and JTAG. Each begins with an architectural overview of an interface, and follows with a series of labs for hands-on practice understanding, observing, interacting with, and exploiting the interface, finishing with either potentially exploitable crashes or directly to root shells.

https://www.blackhat.com/us-16/training/applied-physical-attacks-on-x86-systems.html

Standard
Uncategorized

Western Digital drives vulnerable: BadUSB, EvilMaid

Most news sites are reporting about bad security in Western Digital hard drives. As presented at Hardware.io the other week, and from the Full Disclosure mailing list from a few days ago, excerpt below:

Authors: Gunnar Alendal, Christian Kison, modg
Vendor notification: The vendor has been informed of the research.
Patches: The authors are not aware of any fixes.

Research on Western Digital wide-spread self-encrypting hard drive series “My Passport” / “My Book”. Devices researched utilizes mandatory HW AES encryption. Multiple vulnerabilities, including:
* Multiple authentication backdoors, bypassing password authentication
* AES factory key recovery attacks, exposing user data on all affected devices, regardless of user password
* Exposure of HW PRNGs used in cryptographic contexts
* Unauthorized patching of FW, facilitating badUSB/evil-maid attacks

Architectures researched (USB Bridge Vendor – Chip model – Architecture):
 JMicron – JMS538S – Intel 8051
 Symwave – SW6316 – Motorola M68k
 PLX – OXUF943SE – ARM7
 Initio – INIC-1607E – Intel 8051
 Initio – INIC-3608 – ARC 600
 JMicron – JMS569 – Intel 8051

https://eprint.iacr.org/2015/1002.pdf
http://hardwear.io/wp-content/uploads/2015/10/got-HW-crypto-slides_hardwear_gunnar-christian.pdf
http://seclists.org/fulldisclosure/2015/Oct/79

https://threatpost.com/academics-find-critical-flaws-in-self-encrypting-hardware-drives/115103/

http://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/

Standard