zlacker

[parent] [thread] 8 comments
1. i4k+(OP)[view] [source] 2024-10-07 15:45:18
This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over... the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...

but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.

The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.

replies(3): >>333c+T >>johnis+c1 >>ruslan+h51
2. 333c+T[view] [source] 2024-10-07 15:50:32
>>i4k+(OP)
The motivation in the introduction is rooting/jailbreaking a handheld game console. I think this is a perfectly plausible situation where you have physical access but still want to obtain "unauthorized" access.
replies(1): >>i4k+Cr1
3. johnis+c1[view] [source] 2024-10-07 15:52:08
>>i4k+(OP)
> I remembered that most of the physical access hacks would not be possible if the disk is encrypted..

Only if you have not booted into your system through using a keyfile or a passphrase to decrypt the data, i.e. if your PC is shut down. I have full disk encryption, and when I boot into my system, it uses the keyfile with which it would perform the decryption, and boom, I have my PC ready to be accessed physically.

replies(1): >>causal+yP2
4. ruslan+h51[view] [source] 2024-10-07 21:36:55
>>i4k+(OP)
AFAIC, reflashing BIOS won't give you anything, you need to sign it first with proper private key which is checked by the CPU hardware before execution begins. This EMI trick fools CPU itself and I cannot see how it can be fixed, unless new paging algorithm is invented.
replies(2): >>themoo+E91 >>i4k+Yr1
◧◩
5. themoo+E91[view] [source] [discussion] 2024-10-07 22:09:46
>>ruslan+h51
This specifically is trivially defeated by ECC, though it wouldn't be that much harder to instead flip 3 bits and ECC would be unable to help. ECC has very poor penetration outside the server world though, so we're still safe. For now.
replies(1): >>ruslan+cv2
◧◩
6. i4k+Cr1[view] [source] [discussion] 2024-10-08 00:46:04
>>333c+T
I get it, makes sense
◧◩
7. i4k+Yr1[view] [source] [discussion] 2024-10-08 00:50:54
>>ruslan+h51
It depends on the target hardware.

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/M...

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/L...

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/P...

◧◩◪
8. ruslan+cv2[view] [source] [discussion] 2024-10-08 12:47:10
>>themoo+E91
I've thought a little bit more about this case and came to conclusion that to mitigate this attack paging agorimths can be improved by using redundancy and CRC checks with not too much overhead. Yet it takes a lot of work and investment, so it won't happen any time soon. Yes we are safe for now.
◧◩
9. causal+yP2[view] [source] [discussion] 2024-10-08 14:56:30
>>johnis+c1
Would flashing BIOS post-boot really work though?

Also don't see how the article's exploit would be useful pre-decryption.

[go to top]