7

I wonder how hard it it to infect a laptop or netbook in 60 minutes or less in a way the victim cannot easily clean their machine by wiping hard disk drives.

Let's assume the following:

  • The attacker has physical access to the machine. I.e. they wait until their victim leaves their desk. They know how long their victim will be away. (I.e. 5 minutes or an hour.)
  • The machine is either turned on (and must stay that way) or turned off (and must stay that way), or the victim will notice.
  • The victim's machine has USB-ports, ethernet cable connection, wireless LAN and (possibly) Bluetooth enabled.
  • The attacker has as much time to prepare their attack as they need, even some years. They have several chances to try, as long as they don't break anything.

The hack must result in the following:

  • The victim will not be able to remove the infection by reinstalling their system or securely wiping the disk or buying a new hard disk. (1)
  • The victim will only be able to remove the infection by using a completely new mainboard, or at least flashing the BIOS chip (just resetting shouldn't help).
  • The attacker will be able to steal the victims data (minimum requirement), for example passwords or company data. They must at least be able to use keylogger-like functionality, better gain complete control over the victim machine.
  • No dirty old never-updated-Windows exploits. The victim is running a regularly updated Unix derivate (i.e. latest OSX or Linux).
  • The victim would notice an attack if there was anything to notice. Nothing remotely visible must change. The victim expects being attacked, and will assume a technical error is an attack, no matter how unlikely it seems to be. The victims skill level is a somewhat experienced coder, but not in the hardware field. The victim, however, trusts their coworkers to a certain point, i.e. leaving their machine for lunch.
  • No fance UEFI things here. Plain old BIOS, with a lot of data available about it. (It isn't a new laptop.)

I leave the methods the attacker uses in detail completely open.

Their skill level however should be assumed to be extremely high. (For example, someone with 20+ years of experience, good at ASM, C++, and C, with a high knowledge of hardware as well as software and very good Unix skills. Fascinated by exploits and hacking for all their lives, and having succeeded pretty often breaking into hard- and software systems, as well as at reverse engeneering. I.e. they might pull off anything a single person is able to do, and will find their tools. However, if they found a tool which would get them the job done in 5 minutes, they'd use it. They're pretty pragmatic.) Let's say they are a (secretly criminal) programmer who's more experienced than anyone else on the team, the only one who is not just a "web guy" or sysadmin.

If you were such an attacker, how would you do it? Would you think it's possible, and how would you try? (The requirement "a new harddisk and wiping all data including backups won't help" must be fulfilled. The rest is up to you.)

(1) An easy "software" way to do this would be to infect a file the victim will keep accessing over and over again, either remotely or locally. This, however, does not fulfill the requirement. The infection must persist even if all data is wiped completely, and the machine will never access the company network again.

ALittleBitOfParanoia
  • 71
  • 1
  • If it's off, can they turn it on assuming they turn it off again before the victim returns? If it's on, can they restart it assuming they have it turned on with all the same programs open by the time the victim returns? – cpast Mar 03 '15 at 22:16
  • If it is off, they can turn it on, but not boot the actual system, as the actual system is protected by hard disk encryption. They might enter BIOS or Linux busybox / rescue shell. If it is on, they cannot turn it off and on again, as they don't know the encryption password, therefor wouldn't be able to restart the system and open programs. If on, there's a screenlock with password (can't be guessed) and no open consoles, but a hacker would possibly be able to circumvent this. – ALittleBitOfParanoia Mar 03 '15 at 22:19
  • What level of hardware manufacturing does the attacker have access to? A motherboard replacement on a lot of laptops could be done faster than an hour; does the attacker have the ability to fabricate their own motherboard that is identical to the one in the computer but has a compromised BIOS (such as a state might be able to obtain)? – cpast Mar 03 '15 at 22:23
  • They must assume their victim will return any time or earlier, so when they hear steps on the stairs, they should be able to have everything looking normal in less than a few minutes. Manufacturing a motherboard is out of option, as the attacker doesn't have much money. Replacing - possible, but unlikely, as risky for the attacker. – ALittleBitOfParanoia Mar 03 '15 at 22:29

1 Answers1

4

This video demonstrates a complete re-soldering of a laptop BIOS chip in 10 minutes: https://www.youtube.com/watch?v=HMAxv6lgSuw

Joanna Rutkowska (girl behind the Blue Pill rootkit) discusses the feasibility of a "Ring -3" rootkit of the SMM which resides on the BIOS chip: http://theinvisiblethings.blogspot.com/2009/03/attacking-smm-memory-via-intel-cpu.html

And this presentation talks about the implications of hacking the SMM, giving you full access even remotely, fully undetectable. Even the user monitoring network connections for suspicious traffic could have an SMM rootkit fool the network card beyond the driver level: http://me.bios.io/images/6/61/Ring_-3_Rootkits.pdf

The attacker, knowing the laptop beforehand, would use the technique to hack SMM on a chip he got for cheap off eBay, then bring in the chip and a soldering iron for the actual attack.

armani
  • 2,658
  • 19
  • 20
  • Appears like a realistic scenario, with a prepared chip. (In our very small office, we'd most likely literally smell what's going on, i.e. soldering, but won't be the same everywhere.) The scenario you present here also means you think it isn't even possible just using software / plugging in some USB or USB floppy drive etc.? (Of course a BIOS can be flashed using an USB-floppy-drive for, but usually this is reversible by simply reflashing the BIOS.) – ALittleBitOfParanoia Mar 04 '15 at 01:09
  • There might be a more elegant software-based solution, but as a non-programmer I cannot speak to that effect. – armani Mar 04 '15 at 04:15
  • You can do it in 30 seconds instead just by hooking up an SPI programmer. – forest Jun 08 '18 at 06:39