Warning - hackers can "own" your machine if you plug into an evil Thunderbolt device

[wisty]

http://www.breaknenter.org/2012/02/...cking-macs-through-the-thunderbolt-interface/

This is a hardware issue - any OS is vulnerable (but Thunderbolt is basically Mac only for now).

Be careful of Thunderbolt and Firewire devices. This is a Firewire hack, but Thunderbolt can work as Firewire. It's probably worse on Thunderbolt, since Thunderbolt is used for monitors. If an attacker can get to your thunderbolt monitor, they can get right into the heart of your computer.

In a nutshell, part of the Firewire spec is that it can access the lower 4 Gig of RAM on your machine. Any bad device can get all your passwords, and there's not much you (or the OS) can do to stop it. OSX has fairly weak password protection too.

Since Thunderbolt daisy chains, you can get attacked by a guy who puts an attack machine on a safe device, like a thunderbolt monitor. There's not many places where you can access public thunderbolt projectors and monitors.

Fortunately, most Thunderbolt drives are from reputable companies, unlike USB drives. But the security implications are still a bit worrying. It's also going to hurt Thunderbolt adoption, because Windows is a bigger target for hackers. Security conscious companies won't buy anything with Thunderbolt on it if it's going to leave them open to very discrete physical hacks. You could attach mobile phone with TB to the CEO's TB monitor, then daisy-chain into her machine. Or attach a TB mobile to a public TB overhead projector inlet, and own anyone who connects.

 

[arn]

I think it's well assumed if you have physical access to someone's computer, all bets are off in terms of security.

arn

 

[miles01110]

Security conscious companies won't buy anything with Thunderbolt on it if it's going to leave them open to very discrete physical hacks.

This issue of hardware security issues hasn't stopped "security conscious companies" from buying computers with USB ports or ethernet ports. I don't think this is a realistic claim at all.

 

[wisty]

I think it's well assumed if you have physical access to someone's computer, all bets are off in terms of security.

arn

Yeah, the police can get to your RAM if they get a trained technician to physically disassemble you computer.

This hack means that someone can hack your machine by discreetly plugging a device into your monitor.

This issue of hardware security issues hasn't stopped "security conscious companies" from buying computers with USB ports or ethernet ports. I don't think this is a realistic claim at all.

Security conscious companies disable USB and audit ethernet. There's very few security issues with ethernet, except OS ones. The only problem with ethernet is, people use it to connect Windows computers to the internet. Security conscious companies also ban the internet, or have good firewalls.

A malicious USB device can contain a hub, and emulate some kind of malicious keyboard. This can be used to type "start; run cmd; (do something evil)", but this is much less dangerous than invisible access to RAM. I don't know if this is done in the wild. The main problem with USB is people put sensitive documents on them, then leave them in airport lounges.

The Firewire attack is more scary, because it can do practically anything.

edit: there's some USB attacks here: http://www.irongeek.com/i.php?page=...alicious-usb-devices#2.4_Hardware_key_loggers. Evil autorun.ini's (Windows), viruses, and virtual keyboards can all be stopped by the OS. Keyboard loggers need to be connected between your keyboard and computer. The Firewire attacks are pure hardware, and can't be stopped if an attacker can get to any of your peripherals with a daisychain port, and gives full access to your computer.

 

[miles01110]

Your posting suggests that you just read this somewhere and are reciting it in turn. The simple fact is that very few companies try to defend a workstation from an attacker with physical access. The assumption is that they won't get that far. If they do get to the point of being able to open your machine and do whatever they want with it you've got far bigger issues.

Yeah, the police can get to your RAM if they get a trained technician to physically disassemble you computer.

This hack means that someone can hack your machine by discreetly plugging a device into your monitor.

Security conscious companies disable USB and audit ethernet. There's very few security issues with ethernet, except OS ones. The only problem with ethernet is, people use it to connect Windows computers to the internet. Security conscious companies also ban the internet, or have good firewalls.

A malicious USB device can contain a hub, and emulate some kind of malicious keyboard. This can be used to type "start; run cmd; (do something evil)", but this is much less dangerous than invisible access to RAM. I don't know if this is done in the wild. The main problem with USB is people put sensitive documents on them, then leave them in airport lounges.

The Firewire attack is more scary, because it can do practically anything.

edit: there's some USB attacks here: http://www.irongeek.com/i.php?page=...alicious-usb-devices#2.4_Hardware_key_loggers. Evil autorun.ini's (Windows), viruses, and virtual keyboards can all be stopped by the OS. Keyboard loggers need to be connected between your keyboard and computer. The Firewire attacks are pure hardware, and can't be stopped if an attacker can get to any of your peripherals with a daisychain port, and gives full access to your computer.

 

[wisty]

Your posting suggests that you just read this somewhere and are reciting it in turn. The simple fact is that very few companies try to defend a workstation from an attacker with physical access. The assumption is that they won't get that far. If they do get to the point of being able to open your machine and do whatever they want with it you've got far bigger issues.

When I say "companies", I really mean "governments, regulated industries, and any companies who do contracting for governments or regulated industries". It's especially important in defence and health. Banks also care about security. Given the money that goes into these areas, it's not trivial.

As you say, not many companies worry about physical attacks, because a physical attack is usually pretty obvious. If someone can open your machine, they can do what they want.

This isn't about opening a machine. You don't need any skill, or a screwdriver. You'd need a cable, an attack machine (maybe a laptop, or a specialized piece of hardware than can be left in place), and access to their monitor. It could be done very discretely.

Also, it's not something the attacker needs to do. They could just booby-trap a Thunderbolt monitor (or projector), then hack every machine that plugs in. Did you think plugging your computer into a monitor could give it a virus? I didn't.

 

[GGJstudios]

Did you think plugging your computer into a monitor could give it a virus?

It can't. There are no Mac OS X viruses.

Warning! Hackers can "own" your machine if you let them have access to your evil keyboard or mouse!

As arn said, all bets are off if you allow physical access to your computer. This is zero threat to any user who exercises a modicum of common sense and care.

 

[miles01110]

When I say "companies", I really mean "governments, regulated industries, and any companies who do contracting for governments or regulated industries". It's especially important in defence and health. Banks also care about security. Given the money that goes into these areas, it's not trivial.

I understood exactly what kind of organizations you're talking about.

As you say, not many companies worry about physical attacks, because a physical attack is usually pretty obvious. If someone can open your machine, they can do what they want.

Exactly, which is why I'm not really sure why you're "warning" us about this because it's obvious. I'm also unclear as to your desired audience - not many government or corporate security professionals are going to find this a revelation.

This isn't about opening a machine. You don't need any skill, or a screwdriver. You'd need a cable, an attack machine (maybe a laptop, or a specialized piece of hardware than can be left in place), and access to their monitor. It could be done very discretely.

It takes no skill to design malware deliverable by a Thunderbolt peripheral? I don't know about that. It takes no effort to bypass multiple layers of physical security to attach the device to a machine with the information you desire on it? Not sure about that either.

In any case I think this article is irrelevant. As an example, the US government won't have computers with Thunderbolt ports in widespread use until at least 2050.

 

[kolax]

Also in the news, by default, Apple's screensaver doesn't require a password, therefore creating a huge security flaw should someone gain physical access to your machine.

 

[old-wiz]

Don't you think that anyone using a Mac or any other machine would notice someone plugging something into their system? There are many other things to worry about rather than someone plugging something into your machine.

 

[Hawkeye16]

Also in the news, by default, Apple's screensaver doesn't require a password, therefore creating a huge security flaw should someone gain physical access to your machine.

lol, nice.

My company is in a regulated industry and they have no USB port protection (don't know of many that do actually). Internet protection yes, but definitely not physical protection aside from cable locks.

 

[chrono1081]

Not concerned at all with this. Like others said, if someone has physical access to your machine, they have everything on it.

As for regulated industries, I can tell you first hand that security with them generally sucks. Many places allow USB drives, or admin rights, or numerous other things.

Not to mention working in IT, you'd be amazed how many people leave sensitive material up on their machine for any prying eyes to see. I can't tell you how many times I've had to tell users to close any documents on screen before I touch their machine because they have something extremely sensitive up. THAT is the type of stuff companies should be concerned about and is much more of a vulnerability than an obscure thunderbolt hack.

 

[carmaa]

About the linked blog post

Not concerned at all with this. Like others said, if someone has physical access to your machine, they have everything on it.

Hi, Break & Enter guy here.

I think it is prudent to think of all machines that has been stolen, confiscated, inspected by customs, left out of sight while powered on, etc. as damaged goods, and handle them as compromised.

The biggest problem with the attack I wrote about on my blog is that physical access is not always easy to spot. Let's say for example that you were presenting at a conference, and someone had rigged the Thunderbolt projector (not available yet, I know, I know) you are using with an attacking machine connected to the secondary Thunderbolt interface. You would have what I assume most people think of as "physical control" (you never leave the machine out of sight) of the machine, yet it can be compromised right there in front of you. Worse, the only thing you will see at your end (in logs, etc.) is that a FireWire device connected.

People don't realize that poorly designed device protocols may compromise their machines. But you are right, most people don't need to worry about this stuff. But then again, some do. This is a relevant attack vector for certain types of organizations, like it or not.

You'll see me at the next Black Hat conference, handing out free rainbow tables from a Thunderbolt disk.

 

[Consultant]

The same problem are a reaility on PCs for years using USB thumbdrives.

This is claimed to be a concept. There is NO demonstration of it working.

If someone has access to your computing area, they could also install video cameras, etc to spy on you.

 

[KPOM]

The same problem are a reaility on PCs for years using USB thumbdrives.

This is claimed to be a concept. There is NO demonstration of it working.

If someone has access to your computing area, they could also install video cameras, etc to spy on you.

I think the genesis of this was that about two weeks ago a company that sells forensic services claimed that with 40 minutes they could break through FileVault2 (or BitLocker or any other software-based whole disk encryption method) with physical access through a FireWire or Thunderbolt port. Apparently it has something to do with how software-based encryption stores the key in memory. Naturally, they were selling a $995 product to do this.

 

[carmaa]

The same problem are a reaility on PCs for years using USB thumbdrives.

This is claimed to be a concept. There is NO demonstration of it working.

If someone has access to your computing area, they could also install video cameras, etc to spy on you.

I'll publish a video in a couple of days, but I'm not so sure that will convince you...

There is a big difference between rigging a computing area with cameras as opposed to plugging in a Thunderbolt drive, IMHO. Both in effort and risk for the attacker. Also, consider that the attack the works even better on PCs, as Windows has yet to provide DMA protection when the PC is locked (as introduced in later OS X Lion versions).

Most people are aware of the USB issue (and the issues are not the same: USB attacks have to exploit the operating system or make the user interact to be successful). People do, however, not seem to be aware of the DMA issues (just look at the press it gets each time it is resurrected). It is funny how these weaknesses has been known since 2004 (at least), and still gets press.

 

[Peace]

Well jeez.

If I had physical access to a computer I wouldn't need any external device to hack it.

 

[chrono1081]

Hi, Break & Enter guy here.

I think it is prudent to think of all machines that has been stolen, confiscated, inspected by customs, left out of sight while powered on, etc. as damaged goods, and handle them as compromised.

The biggest problem with the attack I wrote about on my blog is that physical access is not always easy to spot. Let's say for example that you were presenting at a conference, and someone had rigged the Thunderbolt projector (not available yet, I know, I know) you are using with an attacking machine connected to the secondary Thunderbolt interface. You would have what I assume most people think of as "physical control" (you never leave the machine out of sight) of the machine, yet it can be compromised right there in front of you. Worse, the only thing you will see at your end (in logs, etc.) is that a FireWire device connected.

People don't realize that poorly designed device protocols may compromise their machines. But you are right, most people don't need to worry about this stuff. But then again, some do. This is a relevant attack vector for certain types of organizations, like it or not.

You'll see me at the next Black Hat conference, handing out free rainbow tables from a Thunderbolt disk.

If I ever see you I'm not letting my Mac near your Thunderbolt drive

I did like the article, it was very interesting and sadly you are right about people being too trusting on hardware.

 

[carmaa]

I think the genesis of this was that about two weeks ago a company that sells forensic services claimed that with 40 minutes they could break through FileVault2 (or BitLocker or any other software-based whole disk encryption method) with physical access through a FireWire or Thunderbolt port. Apparently it has something to do with how software-based encryption stores the key in memory. Naturally, they were selling a $995 product to do this.

This is a problem with all software-based encryption, and it is not a FileVault2-specific issue. The encryption software needs the key to be loaded in memory while the encrypted disk is mounted to be able to encrypt/decrypt disk content. Check out the cold boot paper from Princeton for more on this.

BUT: OS X stores the password of the logged-in user in plaintext in memory (big security no-no) as well. I cannot think of any reason why OS X would need this.

Oh, btw, Inception is free as opposed to Passware's tool.

/shameless plug

 

[Consultant]

I'll publish a video in a couple of days, but I'm not so sure that will convince you...

There is a big difference between rigging a computing area with cameras as opposed to plugging in a Thunderbolt drive, IMHO. Both in effort and risk for the attacker. Also, consider that the attack the works even better on PCs, as Windows has yet to provide DMA protection when the PC is locked (as introduced in later OS X Lion versions).

Most people are aware of the USB issue (and the issues are not the same: USB attacks have to exploit the operating system or make the user interact to be successful). People do, however, not seem to be aware of the DMA issues (just look at the press it gets each time it is resurrected). It is funny how these weaknesses has been known since 2004 (at least), and still gets press.

How come you didn't offer the simple solution to Mac users, which is to turn on firmware password?

 

[GGJstudios]

How come you didn't offer the simple solution to Mac users, which is to turn on firmware password?

How would that help in the scenario described in the OP, since the premise is that you would plug your own Mac into a "contaminated" device, long after any firmware password has been entered?

 

[Amazing Iceman]

The reality is that any system is vulnerable to get hacked, specially when you provide the hacker with physical access to your computer.
For example, Someone with the right knowledge can easily gain total access to a Windows Enterprise Server in less than 10 minutes, if given physical access to it.

If someone is so eager to obtain your data he/she may opt for stealing it, then will hack it.

Many companies disable the USB ports by detaching the cables from the motherboard, but leave the ports in the back for keyboard and mouse connectivity; so much for protection. Any other means of software protection such as user policies, only apply at the OS level.
Another option, if the hacker has enough time, he/she could open the computer and do a RAW mirror image copy of the hard drive, dealing with hacking later. This way, if the drive is encrypted, there will be time to deal with it.

Thunderbolt is like PCIe made external, so this 'Problem' has existed for years already.

One solution would be for every Thunderbolt device to have a unique hardware signature (I believe these already have it?), then implementing rules at the BIOS level to allow certain hardware signatures and reject the rest.

If you worry too much, then be careful: Paranoia will destroy ya.

----------

The same problem are a reaility on PCs for years using USB thumbdrives.

This is claimed to be a concept. There is NO demonstration of it working.

If someone has access to your computing area, they could also install video cameras, etc to spy on you.

Yeah, cameras the size button, or concealed in a hat, pen, clock, poster on the wall, wobbling head on top of your monitor, etc, that could be recording you while your enter your password.

Other companies protect themselves so much, but when you look under their users' keyboards, you may find a sticky note with their passwords.

 

[carmaa]

How come you didn't offer the simple solution to Mac users, which is to turn on firmware password?

Good question, I did link to resources where this option for mitigation is outlined, but I guess I could expand on that in the blog post as well.

 

[Consultant]

How would that help in the scenario described in the OP, since the premise is that you would plug your own Mac into a "contaminated" device, long after any firmware password has been entered?

The site noted why. I've noted in a more concise way here.
http://obamapacman.com/2012/02/fire...an-compromise-thunderbolt-computers-os-x-fix/

Good question, I did link to resources where this option for mitigation is outlined, but I guess I could expand on that in the blog post as well.

The option is pretty clear if people read the thing in full. But I thought I'd mention it here.

 

[GGJstudios]

The site noted why. I've noted in a more concise way here.

Thanks, I missed that when I first skimmed the article.