Don’t trust your hardware

flash drive

I wasn’t able to see David Maynor’s “You are the Trojan” (pdf) talk at Toorcon, but it’s a really interesting subject. With such a large emphasis being placed on tightening perimeter security with firewalls and IDS systems how do attacks keep getting through? The user: bringing laptops on site, connecting home systems through a VPN, or just sacrificing security for speed.

Peripherals can also be a major threat. USB and other computer components use Direct Memory Access (DMA) to bypass the processor. This allows for high performance data transfers. The CPU is completely oblivious to the DMA activity. There is a lot of trust involved in this situation. Here’s how this could be exploited: Like a diligent individual you’ve locked you Windows session. Someone walks in with their hacked USB key and plugs it into your computer. The USB key uses its DMA to kill the process locking your session. Voila! your terminal is now wide open and all they had to do was plug in their USB key, PSP, iPod

Comments

  1. Jerry says:

    What is the model and manufacturer of that gorgeous chrome thumb drive shown in the article pic?

  2. wade says:

    first post! interesting topic, I agree security biggest weakness is yourself. just read the art of deception by kevin mitnick

  3. James Fryman says:

    As interesting as this is, I think the old addage still applies. If one can gain physical access to a machine, it’s as good as hacked anyway. Take for instance the myriad of offline password hacking tools that are already avaliable and combine them with these DMA hacks.

    The dangerous thing that I could see happening is some malware that injects vuln code onto any device that connects to it which then uploads code back onto computers the device is connected to.

    With R/W portable storage coming back (after the 1.44MB floppies quickly outgrew themselves), we’ll see sneakernet viruses possibly growing.

  4. Spoonman says:

    This isn’t really anything new. About 5 years ago, I was using a cd-based tool that did the same thing. I can’t for the life of me remember what it was called, but you’d insert a CD into a locked machine, and if autorun was enabled it would unlock the session.

    Physical security is always a concern. My company just lifted the ban on the use of USB keys, but in order to use one, you can only have one of two secure models. Fortunately, our security team isn’t very knowledgable and don’t know that with SP2 you can disable writing to USB sticks (http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm). This comes in handy since they have blocked access to FTP on the Internet, and we use mostly HP servers…and HP puts all its drivers and updates on FTP. Duh.

    Speaking of encrypting keys, check out Truecrypt (http://www.truecrypt.org). An open source solution for Windows and Linux, it allows you to encrypt entire drives or create hidden, encrypted partitions on which to store your data. I keep all of my “personal” data on an triple-AES encrypted partition on my work laptop. I’ve got local login/off script setup to automatically mount or unmount the partition. If they give me the “can you come into my office for a minute”, I can lock my workstation, and that data’s just plain gone. If they log me off, the encrypted partition will unmount, and they’ll need my 25-character password to get into it again. Using NTFS junction points, I even keep my Firefox profile, IE temp files, etc all on that partition.

  5. David Annett says:

    If the DMA hardware is designed right this should leave it as a pure software issue. For DMA to work the software should first set up the buffers then enable transfers. Of course this assumes the hardware honours the limits put in place by software. A bad system design could leave you with a secuirty hole but DMA hardware design is pretty easy stuff…

  6. Google 1t2 says:

    Now what happens if your OS does not automatically mount devices? Can the key still bypass the processor if the computer hasnt mounted the drive?

  7. matt says:

    That is an interesting comment about about the CD comment spoonman, but I thought that when you locked your screen it would disable the autorun feature by default. I could be wrong though.

  8. kyle says:

    first post got it right. the real news here is that they make chrome thumbdrives. damn, that’s sexy

  9. Losey says:

    Hehe, Dead Sexy!!!!
    (drooling) awwnnnnn

  10. illwill says:

    does anyone know of a way to rewrite the firmware on some usb drives to make them seem like a CDrom when inserted.. i know theres some specialty usb drives that have this feature that are being sold .. just wondering if i can revise mine to do so instead of wasting money on a new one to play with

  11. nullsmack says:

    I’m glad I was wrong. yay!

    #7 there was a nifty program going around awhile back that was basically the autorun file and another file that would kill a screensaver without needing the password. I don’t know if it would unlock a locked workstation though. Seems unlikely but I haven’t heard of anyone doing it.

  12. monster says:

    can someone link a program i can drop onto my thumbdrive? i’d really like to kill the web blocker at my school. blocks hackaday!!! god forbid the children we supposedly teach to become creative individuals get to see creativity on the internet!!!

  13. cnerd2025 says:

    people, this is relevant because of the direct memory access. that’s a very powerful tool. if running an ipod, for instance, you can have it insert some code into one of the threads and then the box will be at your mercy. now if there were a network card that did this, that would be something altogether different…

    oh, and physical security is important. social engineering is an integral part of hacking and some hackers get night jobs as custodians to be near the computers they intend to hack.

  14. Benjamin says:

    As somebody already mentioned, (as interesting as this is), once physical access to the computer is obtained, your as good as hacked. No usb drive? That’s okay, I’ll just put a (bootable) cdrom in the cd drive, and hit the restart button on the front of the machine. If the computer doesn’t boot from the cdrom, and the bios is locked (so I can’t force a boot from cdrom) and I really wan’t information off of that computer, all is well, I’ll just open up the case and manually reset the bios memory (and hence reset the password). If that doesn’t work and I really, really want information off of the computer, I’ll just remove the harddrive, and take it with me. Your only protection here is to encrypt sensitive information on your computer. Fortunately most people don’t have information that is worth going through all of this trouble to get. Besides hackers like attacking a machine remotely, opening up the case and removing the harddrive isn’t very fun.

  15. Matthew says:

    Autopilot is a program that’ll run tasks in the background without user intervention. I haven’t tried it, so I have no idea if it can be scripted or not.

  16. z0iid says:

    #12 – use http://www.stupidcensorship.com (if it isn’t already blocked)

  17. [SvEN] says:

    back in the good old days I had a USB pen drive with an auto run script that would run a few programs and install a few others(trojans). so when you install the pendrive windows would mount it, run autorun.inf, kill any running program named *.scr then install subseven.
    [sVen]

  18. DarkFader says:

    DMA doesn’t always imply you get access to all available memory. This is especially true for USB etc. When you transfer some piece of data, it will be put at some unknown reserved memory location and the driver gets notified by it. The chances of there being an exploit in the handling of it is probably very low after they are verified. For unverified drivers, the system will first ask wether to install it or not.
    The good news: PCI cards are risky and PCMCIA card probably too.

  19. NinjaKey started out as a project to sync up data on my USB drive and ended up turning into a viable “covert” reconnaissance solution. This is using a usb flash drive to retrieve the data you are looking for. *To be used for non-evil purposes of course* Flash drive prices are dropping quickly and places that once allowed these types of drives to be used at workstations are being very careful now.

  20. yeti says:

    Yeah, that usb drive make me so horny. roffle.

  21. hfx392 says:

    1000 camels to the man that figures out who makes that drive and where we can get it.

  22. It’s silver plated. I found it on Engadget, but the link is broken. http://www.engadget.com/entry/4622731184115930/

    The camels are mine suckers!

  23. acidrain says:

    To #4,

    You have all this security in mind, but what happens if they use remote desktop or VNC or in read only mode and just watch you open things?

    Don’t ever assume what you are doing at work is secure from your employers. They could wait till you are gone and dump the memory and virtual memory. They can take periodic screenshots.

    #3 hit this right on. If someone is close enough to use a hacked USB keychain or plant one on an unsuspecting employee, then you have a personnel or physical security issue, not a software/hardware issue.

  24. mike says:

    http://www.engadget.com/entry/1234000030067069

    hrm, this looks like it could execute code autonomously… down right blow the computer up if it had too… fun stuff.

  25. graham says:

    12:
    Get either Opera or Firefox. Then, get Tor and Privoxy. The Tor website should have instructions for setting up Privoxy and how to get webrowsers to use it (i.e., setting the browser to use a proxy server at localhost on port 8118). Put this all on your thumbdrive. You should be able to use that browser to bypass filtering once you run Tor and Privoxy.

    Thats what I do at my school, except I put everything hidden away on a shared network drive.

  26. fucter says:

    the chrome pendrive is here:
    http://www.linksoflondon.com/Category.aspx/!3010.0178 but its 95(brit cash)

  27. monster says:

    #12

    huh?

  28. Xin xue says:

    I saw David Maynor’s talk in CanSecWest, and I didn’t believe a single word of what he said. All the presentation looked like it was put in 5 minutes, and made only to lough of something Dan Kaminsky said. David Maynor didn’t show a demo (he had lost his phone… but it was on his pocket right after he finished the presentation).

    On the other side, Maximillian Dornself does do what he sais (do direct DMA access from an iPod using firewire). Unless there is a bug in the USB drivers (like buffer overflow or something), it’s not feasable using the straight USB protocol, however, firewire protocol does include DMA (and that’s the problem)

  29. dbarrall says:

    There are plenty of overflows in USB drivers, either device specific or class drivers, to exploit. I demonstrated two at BlackHat ’05. One point of my preso was to show that a device can be created that will convince an operating system to load a specific device driver (one you know to have an overflow) for the device to exploit.

  30. Bain says:

    RatWare what what I used to bypass 9x systems with a passworded screensaver. And yes it used the autorun feature while the screensaver was on.

  31. Hannes says:

    wouldn’t this be a perfect application for the gp2x portable game console? It’s affordable, lightweight & linux programmable and of course it sports an usb port…

  32. Wim L says:

    durrh? count me among the skeptical when it comes to the usb hackery. I think the presenter either doesn’t know what he’s talking about, or is throwing terms like “dma” around just to sound good.

    yes, your OHCI usb host controller can perform dma transfers. no, this doesn’t mean that a usb *device* has the ability to initiate a transfer to an arbitrary address.

    yes, a usb device driver could have a buffer overflow. this has everything to do with buggy drivers and nothing to do with usb in general.

    yes, you can put an autorun on a usb-mounted filesystem, and if you’re running a stupid os, it might run that. no, this is not news.

    yes, cardbus cards are effectively PCI cards and can perform arbitrary bus transactions. yes, this is interesting and can probably be used to bypass OS security.

    one out of four is pretty pathetic, for someone who’s claiming to be some sort of security expert.

  33. David Maynor says:

    Wim L:
    1. Its not just OHCI, it

  34. lnce says:

    Anyone know what program spoonman was talking about this may come in handy. (Evil Laugh)

  35. aimshaman says:

    chrome and leather usb flash drive, centon makes them..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,464 other followers