25

Hypothetical scenario (please note that this is indeed hypothetical, and I would never dream of actually doing this. I'm asking out of curiosity.)

  1. I have a normal desktop computer with a clean installation of Windows 10 and no personal or sensitive data on the machine at all. The computer is not sharing a local network with any other devices. This is a normal system, and not a virtual machine.

  2. I give a malicious user remote access to this machine, through the software TeamViewer. The peripherals like USB keyboard, mouse, etc, are disconnected the moment he gets access. The malicious user can spend a few hours doing whatever they want.

  3. After the malicious user is done, the computer is immediately shut down. I then boot from a Linux live CD, format the internal drive of the computer, and install a clean installation of an operating system (Either Windows 10 or Debian, for example.) there are no other storage devices connected to the computer.

In this case in what ways could my computer still be compromised or damaged? We can say that the malicious user knew I might format the drive, and prepared especially for that. They might simply have been interested in doing damage, or compromising the computer in some way.

Fiksdal
  • 3,076
  • 3
  • 18
  • 29
  • 10
    There are social and criminal law aspects of letting anyone use your desktop computer that are a lot more important than damage to hardware. – Paul Sep 02 '17 at 20:43
  • 10
    @Paul has the right idea IMHO. Yes, there could be hardware damage or a clever piece of malware that survives the re-installation process. None of that compares to them downloading something highly illegal and calling the local authorities to report you for running an illegal X ring. – Rob P. Sep 03 '17 at 00:25
  • You assume #3 is done, but realize that a malicious user could have just made a fake OS/BIOS screen appear (to fool you into thinking that all was being cleanly re-installed). – bobuhito Sep 03 '17 at 20:32
  • 1
    @bobuhito This sounds like the start of a good answer, rather than a comment! – Fiksdal Sep 03 '17 at 20:37
  • Note that, without a privilege escalation vulnerability, most of the answers given require administrative rights. This means that you either launched TeamViewer as administrator or installed the full version. Without proper installation and configuration, most actions would just trigger the "please confirm this is ok" message on the user screen, and freeze the attacker session. – BgrWorker Sep 04 '17 at 12:41
  • 1
    In essence, any answer to this question is one of two options: either altering permanent storage besides the harddisk (in practice: boot flash) or permanent hardware damage (which is virtually impossible with 21st century hardware). All the "overheat" answers ignore the fact that vulnerable hardware generally has a hardwired temperature switch-off. – MSalters Sep 04 '17 at 13:18
  • @MSalters This seems to me like answer material rather than comment-material. – Fiksdal Sep 04 '17 at 13:30

4 Answers4

43

On some CRT monitors there was a relay that was engaged when changing screen mode. By changing screen mode repeatedly very fast, it was possible to destroy this relay.

Apparently some modern monitors can be wrecked by forcing them into invalid screen modes, but they must be pretty rubbish monitors.

Someone has mentioned flashing the BIOS to wreck that.

The microcode on some CPUs can be amended: wreck the CPU.

If it is a laptop, it may be possible to wreck the battery by reprogramming it: http://www.pcworld.com/article/236875/batteries_go_boom.html

With flash memory based SSDs or USB drives, re-write the same part of memory over and over to have it reach its end of life sooner.

On a cheap hard drive, forcing the stepper motor to push the drive heads fully one way beyond the end of the drive and then step back, repeatedly, could knock the heads out of alignment. I've known drives where the heads could get stuck if sent beyond their proper range (Tulip brand PCs in the 1990s).

I also wonder if you could change any BIOS settings such that the RAM or CPU or even GPU could be damaged, by overclocking or changing the board voltages.

Cook the GPU by driving it hard after over-riding its automatic temperature control. Ditto for the CPU.

Change BIOS settings to turn off the CPU fan then drive the CPU hard enough to cook it.

Simes
  • 546
  • 4
  • 2
  • 11
    Nice different answer. I was thinking more of "normal" attacks that are "permanent" in terms of reformatting ... but permament hardware damage is nice too :D – deviantfan Sep 02 '17 at 19:25
  • 1
    +1, great answer. Can you change these BIOS settings from within Windows? – Fiksdal Sep 02 '17 at 19:29
  • SInce the whole BIOS "program" can be replaced from within WIndows, yes. If the stored settings are not directly accessible, just use a modified BIOS that ignores the stored settings and uses it's own values. – deviantfan Sep 02 '17 at 19:49
  • 9
    I'm pretty sure CPU microcode adjustments don't persist. – Joshua Sep 03 '17 at 15:28
  • 1
    A few of these could lead to burning down your house. Which could lead to burning down the neighbourhood, or a nearby forest. – Nacht Sep 04 '17 at 00:41
  • 1
    The harddisk tricks don't work anymore - modern harddisks are no longer controlled by explicit positions (The CHS stuff). Instead, you just tell the harddisk which sector number you want, and it figures out where that sector is physically located. Pass too big number, and it simply won't have a location at all. IIRC, this changed somewhere around 1995. – MSalters Sep 04 '17 at 13:21
  • 1
    Of the BIOS-based attacks, UEFI is particularly insidious because you **may** believe everything is fine, install a new, clean OS and ... well, it isn't clean. – biziclop Sep 04 '17 at 14:17
16

Let's assume the worst possible attacker. And for some reason, attacking without teamviewer isn't an option (like, the SMB bug, AMT in the CPU, any 0day from that angle, deliberate backdoors from MS and US government, ...).

Step 1: Using another 0day that only works if the attacker already has access to the desktop (but no admin) to get admin permissions. Then...

  • Configuring Intels AMT (or AMDs counterpart). Result: Total control as long as a network connection is possible (even when the computer is turned off etc.).
  • Flashing the BIOS/UEFI with something worse (because that usually needs a reboot, configuring Teamviewer to start at boot is helpful). Eg. to prevent that AMT is turned off again.
  • Writing something to the hard disks spare sector area (that's not part of formatting) and/or flashing the hard disks firmware. To prevent you just switching the mainboard.
  • Replacing some other firmwares, just to be sure.

...

And without 0days to get admin permissions? Or if the attacker just wants an more easy way? Well ... downloading child p*rn and then suing you. (And while sad, in some countries an IP is enough to go to jail. Even if you have evidence that you weren't at home where your DSL cable is, or anything like that.).
(Because the focus is on the computer: While you're in jail, the attacker enters your home and does whatever he wants with direct access to the hardware).

deviantfan
  • 3,854
  • 21
  • 22
  • hoepfully he connect them to a VM to make access to the real firmware difficult or impossible. – cybernard Sep 02 '17 at 17:36
  • 2
    @cybernard The question doesn't mention VMs at all. And on this attack scale, there are ways to break out. (eg. I'm pretty sure VirtualBox does pass CPU commands through without changes, so access to AMT shouldn't be limited at all by it) – deviantfan Sep 02 '17 at 17:38
  • 3
    @cybernard That is not the scenario here. The attacker is given access to the actual system, not a VM. – Fiksdal Sep 02 '17 at 17:39
  • Writing outside the "accessible area" is pretty harmless, and certainly does not cause permanent damage. Reformatting redefines the "accessible area". And either the bits stay outside the accessible area (no effect to computer, no damage) or they're irrelevant (inside sectors now marked as "free"). – MSalters Sep 04 '17 at 13:23
  • @MSalters Harmless until a part of the malware is there just because it has enough space. (of course some other part needs to read it) – deviantfan Sep 04 '17 at 16:27
4

They could pull a CIA and flash your HDD firmware, replacing it with their own infected version.

(Not sure you can do this to a VM though)

Kelvin Wang
  • 247
  • 1
  • 4
0

It depends on the permissions the remote user can obtain. The trivial case is that the account already has admin rights; a less trivial case is an exploit which allows a local user to obtain admin rights. Both will make the attacks possible described in the other posts. Without admin rights I cannot think of anything permanently destructive a user could do, off-the-cuff.

The attack surface is certainly bigger if one can actually log in to a machine, as opposed to only seeing it on the network, perhaps behind a firewall, and only with a bare Windows installation (no database, web server, remote desktop etc.). In this sense granting remote access by any means is a security risk.

Peter - Reinstate Monica
  • 1,033
  • 8
  • 9