top | item 41767156

(no title)

i4k | 1 year ago

This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over... the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...

but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.

The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.

discuss

333c|1 year ago

The motivation in the introduction is rooting/jailbreaking a handheld game console. I think this is a perfectly plausible situation where you have physical access but still want to obtain "unauthorized" access.

i4k|1 year ago

I get it, makes sense

ruslan|1 year ago

AFAIC, reflashing BIOS won't give you anything, you need to sign it first with proper private key which is checked by the CPU hardware before execution begins. This EMI trick fools CPU itself and I cannot see how it can be fixed, unless new paging algorithm is invented.

i4k|1 year ago

It depends on the target hardware.

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/M...

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/L...

- https://github.com/binarly-io/SupplyChainAttacks/tree/main/P...

themoonisachees|1 year ago

This specifically is trivially defeated by ECC, though it wouldn't be that much harder to instead flip 3 bits and ECC would be unable to help. ECC has very poor penetration outside the server world though, so we're still safe. For now.

johnisgood|1 year ago

> I remembered that most of the physical access hacks would not be possible if the disk is encrypted..

Only if you have not booted into your system through using a keyfile or a passphrase to decrypt the data, i.e. if your PC is shut down. I have full disk encryption, and when I boot into my system, it uses the keyfile with which it would perform the decryption, and boom, I have my PC ready to be accessed physically.

causal|1 year ago

Would flashing BIOS post-boot really work though?

Also don't see how the article's exploit would be useful pre-decryption.