Don’t trust your hardware

posted Nov 9th 2005 11:00am by Eliot Phillips
filed under: peripherals hacks

flash drive

I wasn’t able to see David Maynor’s “You are the Trojan” (pdf) talk at Toorcon, but it’s a really interesting subject. With such a large emphasis being placed on tightening perimeter security with firewalls and IDS systems how do attacks keep getting through? The user: bringing laptops on site, connecting home systems through a VPN, or just sacrificing security for speed.

Peripherals can also be a major threat. USB and other computer components use Direct Memory Access (DMA) to bypass the processor. This allows for high performance data transfers. The CPU is completely oblivious to the DMA activity. There is a lot of trust involved in this situation. Here’s how this could be exploited: Like a diligent individual you’ve locked you Windows session. Someone walks in with their hacked USB key and plugs it into your computer. The USB key uses its DMA to kill the process locking your session. Voila! your terminal is now wide open and all they had to do was plug in their USB key, PSP, iPod

Comments [35]

Reader Comments

What is the model and manufacturer of that gorgeous chrome thumb drive shown in the article pic?

Posted at 11:14 am on Nov 9th, 2005 by Jerry

first post! interesting topic, I agree security biggest weakness is yourself. just read the art of deception by kevin mitnick

Posted at 11:21 am on Nov 9th, 2005 by wade

As interesting as this is, I think the old addage still applies. If one can gain physical access to a machine, it’s as good as hacked anyway. Take for instance the myriad of offline password hacking tools that are already avaliable and combine them with these DMA hacks.

The dangerous thing that I could see happening is some malware that injects vuln code onto any device that connects to it which then uploads code back onto computers the device is connected to.

With R/W portable storage coming back (after the 1.44MB floppies quickly outgrew themselves), we’ll see sneakernet viruses possibly growing.

Posted at 11:32 am on Nov 9th, 2005 by James Fryman

This isn’t really anything new. About 5 years ago, I was using a cd-based tool that did the same thing. I can’t for the life of me remember what it was called, but you’d insert a CD into a locked machine, and if autorun was enabled it would unlock the session.

Physical security is always a concern. My company just lifted the ban on the use of USB keys, but in order to use one, you can only have one of two secure models. Fortunately, our security team isn’t very knowledgable and don’t know that with SP2 you can disable writing to USB sticks (http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm). This comes in handy since they have blocked access to FTP on the Internet, and we use mostly HP servers…and HP puts all its drivers and updates on FTP. Duh.

Speaking of encrypting keys, check out Truecrypt (http://www.truecrypt.org). An open source solution for Windows and Linux, it allows you to encrypt entire drives or create hidden, encrypted partitions on which to store your data. I keep all of my “personal” data on an triple-AES encrypted partition on my work laptop. I’ve got local login/off script setup to automatically mount or unmount the partition. If they give me the “can you come into my office for a minute”, I can lock my workstation, and that data’s just plain gone. If they log me off, the encrypted partition will unmount, and they’ll need my 25-character password to get into it again. Using NTFS junction points, I even keep my Firefox profile, IE temp files, etc all on that partition.

Posted at 12:24 pm on Nov 9th, 2005 by Spoonman

If the DMA hardware is designed right this should leave it as a pure software issue. For DMA to work the software should first set up the buffers then enable transfers. Of course this assumes the hardware honours the limits put in place by software. A bad system design could leave you with a secuirty hole but DMA hardware design is pretty easy stuff…

Posted at 1:17 pm on Nov 9th, 2005 by David Annett

Now what happens if your OS does not automatically mount devices? Can the key still bypass the processor if the computer hasnt mounted the drive?

Posted at 2:25 pm on Nov 9th, 2005 by Google 1t2

That is an interesting comment about about the CD comment spoonman, but I thought that when you locked your screen it would disable the autorun feature by default. I could be wrong though.

Posted at 2:36 pm on Nov 9th, 2005 by matt

first post got it right. the real news here is that they make chrome thumbdrives. damn, that’s sexy

Posted at 2:49 pm on Nov 9th, 2005 by kyle

Hehe, Dead Sexy!!!!
(drooling) awwnnnnn

Posted at 3:18 pm on Nov 9th, 2005 by Losey

does anyone know of a way to rewrite the firmware on some usb drives to make them seem like a CDrom when inserted.. i know theres some specialty usb drives that have this feature that are being sold .. just wondering if i can revise mine to do so instead of wasting money on a new one to play with

Posted at 4:50 pm on Nov 9th, 2005 by illwill

I’m glad I was wrong. yay!

#7 there was a nifty program going around awhile back that was basically the autorun file and another file that would kill a screensaver without needing the password. I don’t know if it would unlock a locked workstation though. Seems unlikely but I haven’t heard of anyone doing it.

Posted at 5:41 pm on Nov 9th, 2005 by nullsmack

can someone link a program i can drop onto my thumbdrive? i’d really like to kill the web blocker at my school. blocks hackaday!!! god forbid the children we supposedly teach to become creative individuals get to see creativity on the internet!!!

Posted at 6:01 pm on Nov 9th, 2005 by monster

people, this is relevant because of the direct memory access. that’s a very powerful tool. if running an ipod, for instance, you can have it insert some code into one of the threads and then the box will be at your mercy. now if there were a network card that did this, that would be something altogether different…

oh, and physical security is important. social engineering is an integral part of hacking and some hackers get night jobs as custodians to be near the computers they intend to hack.

Posted at 7:06 pm on Nov 9th, 2005 by cnerd2025

As somebody already mentioned, (as interesting as this is), once physical access to the computer is obtained, your as good as hacked. No usb drive? That’s okay, I’ll just put a (bootable) cdrom in the cd drive, and hit the restart button on the front of the machine. If the computer doesn’t boot from the cdrom, and the bios is locked (so I can’t force a boot from cdrom) and I really wan’t information off of that computer, all is well, I’ll just open up the case and manually reset the bios memory (and hence reset the password). If that doesn’t work and I really, really want information off of the computer, I’ll just remove the harddrive, and take it with me. Your only protection here is to encrypt sensitive information on your computer. Fortunately most people don’t have information that is worth going through all of this trouble to get. Besides hackers like attacking a machine remotely, opening up the case and removing the harddrive isn’t very fun.

Posted at 7:47 pm on Nov 9th, 2005 by Benjamin

Autopilot is a program that’ll run tasks in the background without user intervention. I haven’t tried it, so I have no idea if it can be scripted or not.

Posted at 8:44 pm on Nov 9th, 2005 by Matthew

#12 – use http://www.stupidcensorship.com (if it isn’t already blocked)

Posted at 12:48 am on Nov 10th, 2005 by z0iid

back in the good old days I had a USB pen drive with an auto run script that would run a few programs and install a few others(trojans). so when you install the pendrive windows would mount it, run autorun.inf, kill any running program named *.scr then install subseven.
[sVen]

Posted at 2:02 am on Nov 10th, 2005 by [SvEN]

DMA doesn’t always imply you get access to all available memory. This is especially true for USB etc. When you transfer some piece of data, it will be put at some unknown reserved memory location and the driver gets notified by it. The chances of there being an exploit in the handling of it is probably very low after they are verified. For unverified drivers, the system will first ask wether to install it or not.
The good news: PCI cards are risky and PCMCIA card probably too.

Posted at 3:18 am on Nov 10th, 2005 by DarkFader

NinjaKey started out as a project to sync up data on my USB drive and ended up turning into a viable “covert” reconnaissance solution. This is using a usb flash drive to retrieve the data you are looking for. *To be used for non-evil purposes of course* Flash drive prices are dropping quickly and places that once allowed these types of drives to be used at workstations are being very careful now.

Posted at 3:26 am on Nov 10th, 2005 by israel torres

Yeah, that usb drive make me so horny. roffle.

Posted at 11:33 am on Nov 10th, 2005 by yeti

1000 camels to the man that figures out who makes that drive and where we can get it.

Posted at 2:15 pm on Nov 10th, 2005 by hfx392

It’s silver plated. I found it on Engadget, but the link is broken. http://www.engadget.com/entry/4622731184115930/

The camels are mine suckers!

Posted at 2:35 pm on Nov 10th, 2005 by Eliot Phillips

To #4,

You have all this security in mind, but what happens if they use remote desktop or VNC or in read only mode and just watch you open things?

Don’t ever assume what you are doing at work is secure from your employers. They could wait till you are gone and dump the memory and virtual memory. They can take periodic screenshots.

#3 hit this right on. If someone is close enough to use a hacked USB keychain or plant one on an unsuspecting employee, then you have a personnel or physical security issue, not a software/hardware issue.

Posted at 11:03 pm on Nov 10th, 2005 by acidrain

http://www.engadget.com/entry/1234000030067069

hrm, this looks like it could execute code autonomously… down right blow the computer up if it had too… fun stuff.

Posted at 1:50 am on Nov 11th, 2005 by mike

12:
Get either Opera or Firefox. Then, get Tor and Privoxy. The Tor website should have instructions for setting up Privoxy and how to get webrowsers to use it (i.e., setting the browser to use a proxy server at localhost on port 8118). Put this all on your thumbdrive. You should be able to use that browser to bypass filtering once you run Tor and Privoxy.

Thats what I do at my school, except I put everything hidden away on a shared network drive.

Posted at 2:32 am on Nov 11th, 2005 by graham

the chrome pendrive is here:
http://www.linksoflondon.com/Category.aspx/!3010.0178 but its 95(brit cash)

Posted at 10:49 am on Nov 11th, 2005 by fucter

#12

huh?

Posted at 11:29 pm on Nov 11th, 2005 by monster

I saw David Maynor’s talk in CanSecWest, and I didn’t believe a single word of what he said. All the presentation looked like it was put in 5 minutes, and made only to lough of something Dan Kaminsky said. David Maynor didn’t show a demo (he had lost his phone… but it was on his pocket right after he finished the presentation).

On the other side, Maximillian Dornself does do what he sais (do direct DMA access from an iPod using firewire). Unless there is a bug in the USB drivers (like buffer overflow or something), it’s not feasable using the straight USB protocol, however, firewire protocol does include DMA (and that’s the problem)

Posted at 3:55 am on Nov 13th, 2005 by Xin xue

There are plenty of overflows in USB drivers, either device specific or class drivers, to exploit. I demonstrated two at BlackHat ‘05. One point of my preso was to show that a device can be created that will convince an operating system to load a specific device driver (one you know to have an overflow) for the device to exploit.

Posted at 12:30 pm on Nov 18th, 2005 by dbarrall

RatWare what what I used to bypass 9x systems with a passworded screensaver. And yes it used the autorun feature while the screensaver was on.

Posted at 2:36 pm on Jan 24th, 2006 by Bain

wouldn’t this be a perfect application for the gp2x portable game console? It’s affordable, lightweight & linux programmable and of course it sports an usb port…

Posted at 10:41 am on Feb 4th, 2006 by Hannes

durrh? count me among the skeptical when it comes to the usb hackery. I think the presenter either doesn’t know what he’s talking about, or is throwing terms like “dma” around just to sound good.

yes, your OHCI usb host controller can perform dma transfers. no, this doesn’t mean that a usb *device* has the ability to initiate a transfer to an arbitrary address.

yes, a usb device driver could have a buffer overflow. this has everything to do with buggy drivers and nothing to do with usb in general.

yes, you can put an autorun on a usb-mounted filesystem, and if you’re running a stupid os, it might run that. no, this is not news.

yes, cardbus cards are effectively PCI cards and can perform arbitrary bus transactions. yes, this is interesting and can probably be used to bypass OS security.

one out of four is pretty pathetic, for someone who’s claiming to be some sort of security expert.

Posted at 3:19 pm on Feb 6th, 2006 by Wim L

Wim L:
1. Its not just OHCI, it

Posted at 1:19 am on Feb 21st, 2006 by David Maynor

Anyone know what program spoonman was talking about this may come in handy. (Evil Laugh)

Posted at 6:17 pm on Mar 20th, 2006 by lnce

http://i11.ebayimg.com/01/i/07/64/e5/0b_1_b.JPG

chrome and leather usb flash drive, centon makes them..

Posted at 7:33 pm on Jun 14th, 2006 by aimshaman