Differences between revisions 4 and 5
Revision 4 as of 2018-11-21 09:11:29
Size: 3562
Editor: admin
Comment:
Revision 5 as of 2018-12-02 15:48:10
Size: 3623
Editor: admin
Comment:
Deletions are marked like this. Additions are marked like this.
Line 23: Line 23:
A series of attacks have been known to convert sounds into either key strokes, or to (vague) monitor patterns. See [[https://www.inf.ed.ac.uk/publications/thesis/online/IM100855.pdf|this thesis]] and [[https://www.cs.tau.ac.il/~tromer/synesthesia/synesthesia.pdf|this paper]] A series of attacks have been known to convert sounds into either key strokes, or to (vague) monitor patterns. See [[https://www.inf.ed.ac.uk/publications/thesis/online/IM100855.pdf|this thesis]] and [[https://www.cs.tau.ac.il/~tromer/synesthesia/synesthesia.pdf|this paper]] and [[https://github.com/ggerganov/kbd-audio|this project]].

Physical security

Physical security is an overlooked part of security, that relies on ensuring that the system is safe from physical attack or tampering.

Evil maid attacks

An evil maid attack involves secretly physically modifying the boot media (hard drive, etc) of a system with a backdoor, such that the system is compromised the next time it's booted. This style of attack also includes UEFI root kits, which don't modify the hard disk at all, but simply compromise the boot loader as the bios loads it from disk. The TPM is used to attempt to prevent some classes of Evil maid attack. This style of defense also can't prevent a hardware keylogger or the like.

Postal attack

A postal attack is a class of evil maid attack specifically including hardware that's being shipped. An example would be computers being bought by a government agency from a reputable vendor. The computers are then secretly stopped in transit, secret backdoors are added, before being sent on to their final destination.

DMA attacks

These involve an unsecured or compromised PCI-E card (Such as a FireWire, Thunderbolt, etc. card) being used to clone or manipulate system ram. This then allows the attacker to dump encryption keys, bypass screen locks, or root kit the system by simply plugging in a FireWire or ThunderBolt connector. Inception is a software suite which performs that type of attack. DMA attacks on a running system are generally mitigated through the use of the IOMMU, and are the primary reason for Sys USB and Sys Net

Cold boot attacks

Ram doesn't immediately reset when you reset the CPU. Instead it slowly decays when powered off (more slowly if it's kept cold). In a cold boot attack, an attacker freezes system memory (with a cold spray), and resets the system. At that point they either use a compromised boot image to clone system ram, or they use a DMA attack to clone system ram on to their own system. At that point the ram image can be investigated to dump out encryption keys and the like. This then allows it to bypass full disk encryption if a system can be successfully attacked while running. See this presentation on a cold boot attack on BitLocker. Physical memory encryption, shipped by default on new AMD Ryzen series chips may mitigate cold boot attacks.

Acoustic attacks

A series of attacks have been known to convert sounds into either key strokes, or to (vague) monitor patterns. See this thesis and this paper and this project.

Visual attacks

The most secure password is insecure if someone with a camera and a telephoto lens can watch you enter it. It's also possible to recover sound through video, allowing acoustic attacks. See this project for details.

RF attacks

RF attacks are broadly divided into two groups:

  1. TEMPEST style attacks, where an adversary is listening in on EM produced by your system (generally looking for key presses or video data from the monitor)
  2. RF retro reflective attacks, where an adversary is "lighting up" an area with RF radiation and using the modulation of the reflections to provide data. See the RF retroreflector for details.

Security/Physical (last edited 2018-12-02 15:48:10 by admin)