(we took a break from our "standard fair" this weekend and didn't publish any standards related diaries. 20/21 will be skipped as a result) Over the years, I collected quite a number of "standard" connectors/cables and interfaces. This is certainly an area where standards seem to be proliferating quickly. To stick with our theme of security and security awareness, I would like to focus on a couple of popular standards and particular outline security aspects of the standard. First of all, pretty much all peripherals connected to a system require drivers to interact with the device. These device drivers frequently are part of the kernel and a vulnerability in the device driver will lead to a system compromise. I don't think the full potential of this class of vulnerabilities has been realized yet, but there have certainly been some notable exploits that were based on these vulnerabilities. Even simple devices like VGA monitors do send some data to the system, and could potentially be used to exploit vulnerabilities (I am not aware of a VGA vulnerability). USBThe "Universal Serial Bus" is by now pretty old and you can't buy a laptop or desktop without a USB port. In the past, the main risk of USB has been the ability to automatically launch software as the USB memory stick is plugged into the system. This vulnerability has been mostly eliminated in modern operating system configurations. However, there are still plenty of possibly issues with USB:
Firewire (IEEE 1394)A lot of attention has been spent on USB. Firewire on the other hand provides for an entire different level of access to the system. Firewire extends the PCI bus, and allows access to the system in ways similar to PCI plugin boards. An attacker with access to the Firewire bus can read and manipulate memory and access devices (like hard drives) connected to the bus.
(sorry for the lack of links/URLs for this section. but the main source of these tools, http://www.storm.net.nz/projects/16 , hasn't been up in a while) Thunderbolt (Light Peak)This is a relatively new technology, initially introduced by Apple and Intel. Currently, first non-Apple laptops start to appear with Thunderbold port. Thunderbolt is pretty much a further development of the firewire concept. It does allow direct access to the newer PCIe bus, and includes a video bus via display port. At this point, not a lot of work has been done exploiting Thunderbolt. But more or less all exploits that worked against Firewire should in principle work with Thunderbolt. The bus is not authenticated and a device like a monitor may disguise an internal second devices that will then read and manipulate data on the system via the thunderbolt interface. There is very little visibility into the data exchanged via thunderbolt (we need something like tcpdump for these ports). [1] http://www.pjrc.com/teensy/
------ |
Johannes 4069 Posts ISC Handler Oct 22nd 2012 |
Thread locked Subscribe |
Oct 22nd 2012 8 years ago |
Dear Johannes,
In the second bullet point under USB you say "This would happen even if auto-execute is enabled." Shouldn't that be "disabled"? |
Anonymous |
Quote |
Oct 23rd 2012 8 years ago |
You may want to amend the second bullet point under Firewire - Carsten Maartmann-Moe's "Inception" will do the in-memory patch on Windows XP, Vista, 7 and 8, and the last few versions of OS X and Ubuntu Linux.
|
Anonymous |
Quote |
Oct 23rd 2012 8 years ago |
Even when autorun is disabled, mounted volumes are read. A custom volume icon could leverage a vulnerable graphic library.
I seem to recall BIOS replacement boards for ISA. PCI/PCIe may allow similar pre-OS load access. Firewire and Thunderbolt could then allow for rootkit like exploitation from these ports. |
G.Scott H. 48 Posts |
Quote |
Oct 23rd 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!