After a week or so of rumors, everyone is now reporting about the Spectre and Meltdown attacks against pretty much every modern processor out there.
These are side-channel attacks where one process can spy on other processes. They affect computers where an untrusted browser window can execute code, phones that have multiple apps running at the same time, and cloud computing networks that run lots of different processes at once. Fixing them either requires a patch that results in a major performance hit, or is impossible and requires a re-architecture of conditional execution in future CPU chips.
I’ll be writing something for publication over the next few days. This post is basically just a link repository.
EDITED TO ADD: Good technical explanation. And a Slashdot thread.
EDITED TO ADD (1/5): Another good technical description. And how the exploits work through browsers. A rundown of what vendors are doing. Nicholas Weaver on its effects on individual computers.
EDITED TO ADD (1/7): xkcd.
EDITED TO ADD (1/10): Another good technical description.
Posted on January 4, 2018 at 6:28 AM •
Interesting destructive attack: “Acoustic Denial of Service Attacks on HDDs“:
Abstract: Among storage components, hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and significantly-improved areal density. Such advances in HDDs have made them an inevitable part of numerous computing systems, including, personal computers, closed-circuit television (CCTV) systems, medical bedside monitors, and automated teller machines (ATMs). Despite the widespread use of HDDs and their critical role in real-world systems, there exist only a few research studies on the security of HDDs. In particular, prior research studies have discussed how HDDs can potentially leak critical private information through acoustic or electromagnetic emanations. Borrowing theoretical principles from acoustics and mechanics, we propose a novel denial-of-service (DoS) attack against HDDs that exploits a physical phenomenon, known as acoustic resonance. We perform a comprehensive examination of physical characteristics of several HDDs and create acoustic signals that cause significant vibrations in HDDs internal components. We demonstrate that such vibrations can negatively influence the performance of HDDs embedded in real-world systems. We show the feasibility of the proposed attack in two real-world case studies, namely, personal computers and CCTVs.
Posted on December 26, 2017 at 9:34 AM •
Andrew “bunnie” Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone’s operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance:
Our introspection engine is designed with the following goals in mind:
- Completely open source and user-inspectable (“You don’t have to trust us”)
- Introspection operations are performed by an execution domain completely separated from the phone”s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)
- Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)
- Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)
- Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor”—state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)
- As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)
- Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)
- Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)
This looks like fantastic work, and they have a working prototype.
Of course, this does nothing to stop all the legitimate surveillance that happens over a cell phone: location tracking, records of who you talk to, and so on.
Posted on September 11, 2017 at 6:12 AM •
Researchers demonstrated a really clever hack: they hid malware in a replacement smart phone screen. The idea is that you would naively bring your smart phone in for repair, and the repair shop would install this malicious screen without your knowledge. The malware is hidden in touchscreen controller software, which is trusted by the phone.
The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
Academic paper. BoingBoing post.
Posted on August 28, 2017 at 6:22 AM •
It costs less than $60.
For just a few bucks, you can pick up a USB stick that destroys almost anything that it’s plugged into. Laptops, PCs, televisions, photo booths—you name it.
Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester’s repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges—all in the matter of seconds.
On unprotected equipment, the device’s makers say it will “instantly and permanently disable unprotected hardware”.
You might be forgiven for thinking, “Well, why exactly?” The lesson here is simple enough. If a device has an exposed USB port—such as a copy machine or even an airline entertainment system—it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.
Posted on September 12, 2016 at 2:07 PM •
Four researchers have demonstrated a TEMPEST attack against a laptop, recovering its keys by listening to its electrical emanations. The cost for the attack hardware was about $3,000.
To test the hack, the researchers first sent the target a specific ciphertext—in other words, an encrypted message.
“During the decryption of the chosen ciphertext, we measure the EM leakage of the target laptop, focusing on a narrow frequency band,” the paper reads. The signal is then processed, and “a clean trace is produced which reveals information about the operands used in the elliptic curve cryptography,” it continues, which in turn “is used in order to reveal the secret key.”
The equipment used included an antenna, amplifiers, a software-defined radio, and a laptop. This process was being carried out through a 15cm thick wall, reinforced with metal studs, according to the paper.
The researchers obtained the secret key after observing 66 decryption processes, each lasting around 0.05 seconds. “This yields a total measurement time of about 3.3 sec,” the paper reads. It’s important to note that when the researchers say that the secret key was obtained in “seconds,” that’s the total measurement time, and not necessarily how long it would take for the attack to actually be carried out. A real world attacker would still need to factor in other things, such as the target reliably decrypting the sent ciphertext, because observing that process is naturally required for the attack to be successful.
For half a century this has been a nation-state-level espionage technique. The cost is continually falling.
Posted on February 23, 2016 at 5:49 AM •
This weird story describes a “porn dog” that is trained to find hidden hard drives. It’s used in child porn investigations.
I suppose it’s reasonable that computer disks have a particular chemical smell, but I wonder what it is.
EDITED TO ADD (1/13): More info.
Posted on December 24, 2015 at 8:18 AM •
This is impressive:
“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.
“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.
“From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).”
That’s attacker to Fitbit to computer.
Posted on October 22, 2015 at 1:20 PM •
This sort of thing is still very rare, but I fear it will become more common:
…hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
Posted on January 8, 2015 at 3:11 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.