Don’t Trust Your Hardware

flash drive

I wasn’t able to see David Maynor’s “You are the Trojan” (pdf) talk at Toorcon, but it’s a really interesting subject. With such a large emphasis being placed on tightening perimeter security with firewalls and IDS systems how do attacks keep getting through? The user: bringing laptops on site, connecting home systems through a VPN, or just sacrificing security for speed.

Peripherals can also be a major threat. USB and other computer components use Direct Memory Access (DMA) to bypass the processor. This allows for high performance data transfers. The CPU is completely oblivious to the DMA activity. There is a lot of trust involved in this situation. Here’s how this could be exploited: Like a diligent individual you’ve locked you Windows session. Someone walks in with their hacked USB key and plugs it into your computer. The USB key uses its DMA to kill the process locking your session. Voila! your terminal is now wide open and all they had to do was plug in their USB key, PSP, iPod

35 thoughts on “Don’t Trust Your Hardware

  1. As interesting as this is, I think the old addage still applies. If one can gain physical access to a machine, it’s as good as hacked anyway. Take for instance the myriad of offline password hacking tools that are already avaliable and combine them with these DMA hacks.

    The dangerous thing that I could see happening is some malware that injects vuln code onto any device that connects to it which then uploads code back onto computers the device is connected to.

    With R/W portable storage coming back (after the 1.44MB floppies quickly outgrew themselves), we’ll see sneakernet viruses possibly growing.

  2. This isn’t really anything new. About 5 years ago, I was using a cd-based tool that did the same thing. I can’t for the life of me remember what it was called, but you’d insert a CD into a locked machine, and if autorun was enabled it would unlock the session.

    Physical security is always a concern. My company just lifted the ban on the use of USB keys, but in order to use one, you can only have one of two secure models. Fortunately, our security team isn’t very knowledgable and don’t know that with SP2 you can disable writing to USB sticks (http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm). This comes in handy since they have blocked access to FTP on the Internet, and we use mostly HP servers…and HP puts all its drivers and updates on FTP. Duh.

    Speaking of encrypting keys, check out Truecrypt (http://www.truecrypt.org). An open source solution for Windows and Linux, it allows you to encrypt entire drives or create hidden, encrypted partitions on which to store your data. I keep all of my “personal” data on an triple-AES encrypted partition on my work laptop. I’ve got local login/off script setup to automatically mount or unmount the partition. If they give me the “can you come into my office for a minute”, I can lock my workstation, and that data’s just plain gone. If they log me off, the encrypted partition will unmount, and they’ll need my 25-character password to get into it again. Using NTFS junction points, I even keep my Firefox profile, IE temp files, etc all on that partition.

  3. If the DMA hardware is designed right this should leave it as a pure software issue. For DMA to work the software should first set up the buffers then enable transfers. Of course this assumes the hardware honours the limits put in place by software. A bad system design could leave you with a secuirty hole but DMA hardware design is pretty easy stuff…

  4. does anyone know of a way to rewrite the firmware on some usb drives to make them seem like a CDrom when inserted.. i know theres some specialty usb drives that have this feature that are being sold .. just wondering if i can revise mine to do so instead of wasting money on a new one to play with

  5. I’m glad I was wrong. yay!

    #7 there was a nifty program going around awhile back that was basically the autorun file and another file that would kill a screensaver without needing the password. I don’t know if it would unlock a locked workstation though. Seems unlikely but I haven’t heard of anyone doing it.

  6. can someone link a program i can drop onto my thumbdrive? i’d really like to kill the web blocker at my school. blocks hackaday!!! god forbid the children we supposedly teach to become creative individuals get to see creativity on the internet!!!

  7. people, this is relevant because of the direct memory access. that’s a very powerful tool. if running an ipod, for instance, you can have it insert some code into one of the threads and then the box will be at your mercy. now if there were a network card that did this, that would be something altogether different…

    oh, and physical security is important. social engineering is an integral part of hacking and some hackers get night jobs as custodians to be near the computers they intend to hack.

  8. As somebody already mentioned, (as interesting as this is), once physical access to the computer is obtained, your as good as hacked. No usb drive? That’s okay, I’ll just put a (bootable) cdrom in the cd drive, and hit the restart button on the front of the machine. If the computer doesn’t boot from the cdrom, and the bios is locked (so I can’t force a boot from cdrom) and I really wan’t information off of that computer, all is well, I’ll just open up the case and manually reset the bios memory (and hence reset the password). If that doesn’t work and I really, really want information off of the computer, I’ll just remove the harddrive, and take it with me. Your only protection here is to encrypt sensitive information on your computer. Fortunately most people don’t have information that is worth going through all of this trouble to get. Besides hackers like attacking a machine remotely, opening up the case and removing the harddrive isn’t very fun.

  9. back in the good old days I had a USB pen drive with an auto run script that would run a few programs and install a few others(trojans). so when you install the pendrive windows would mount it, run autorun.inf, kill any running program named *.scr then install subseven.
    [sVen]

  10. DMA doesn’t always imply you get access to all available memory. This is especially true for USB etc. When you transfer some piece of data, it will be put at some unknown reserved memory location and the driver gets notified by it. The chances of there being an exploit in the handling of it is probably very low after they are verified. For unverified drivers, the system will first ask wether to install it or not.
    The good news: PCI cards are risky and PCMCIA card probably too.

  11. NinjaKey started out as a project to sync up data on my USB drive and ended up turning into a viable “covert” reconnaissance solution. This is using a usb flash drive to retrieve the data you are looking for. *To be used for non-evil purposes of course* Flash drive prices are dropping quickly and places that once allowed these types of drives to be used at workstations are being very careful now.

  12. To #4,

    You have all this security in mind, but what happens if they use remote desktop or VNC or in read only mode and just watch you open things?

    Don’t ever assume what you are doing at work is secure from your employers. They could wait till you are gone and dump the memory and virtual memory. They can take periodic screenshots.

    #3 hit this right on. If someone is close enough to use a hacked USB keychain or plant one on an unsuspecting employee, then you have a personnel or physical security issue, not a software/hardware issue.

  13. 12:
    Get either Opera or Firefox. Then, get Tor and Privoxy. The Tor website should have instructions for setting up Privoxy and how to get webrowsers to use it (i.e., setting the browser to use a proxy server at localhost on port 8118). Put this all on your thumbdrive. You should be able to use that browser to bypass filtering once you run Tor and Privoxy.

    Thats what I do at my school, except I put everything hidden away on a shared network drive.

  14. I saw David Maynor’s talk in CanSecWest, and I didn’t believe a single word of what he said. All the presentation looked like it was put in 5 minutes, and made only to lough of something Dan Kaminsky said. David Maynor didn’t show a demo (he had lost his phone… but it was on his pocket right after he finished the presentation).

    On the other side, Maximillian Dornself does do what he sais (do direct DMA access from an iPod using firewire). Unless there is a bug in the USB drivers (like buffer overflow or something), it’s not feasable using the straight USB protocol, however, firewire protocol does include DMA (and that’s the problem)

  15. There are plenty of overflows in USB drivers, either device specific or class drivers, to exploit. I demonstrated two at BlackHat ’05. One point of my preso was to show that a device can be created that will convince an operating system to load a specific device driver (one you know to have an overflow) for the device to exploit.

  16. durrh? count me among the skeptical when it comes to the usb hackery. I think the presenter either doesn’t know what he’s talking about, or is throwing terms like “dma” around just to sound good.

    yes, your OHCI usb host controller can perform dma transfers. no, this doesn’t mean that a usb *device* has the ability to initiate a transfer to an arbitrary address.

    yes, a usb device driver could have a buffer overflow. this has everything to do with buggy drivers and nothing to do with usb in general.

    yes, you can put an autorun on a usb-mounted filesystem, and if you’re running a stupid os, it might run that. no, this is not news.

    yes, cardbus cards are effectively PCI cards and can perform arbitrary bus transactions. yes, this is interesting and can probably be used to bypass OS security.

    one out of four is pretty pathetic, for someone who’s claiming to be some sort of security expert.

Leave a Reply to yetiCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.