INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

Transcription

1 Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 De Reehorst in Ede INLICHTINGEN DIENSTEN SPIONAGE INLICHTINGEN DIENSTEN SPIONAGE PRIVACY PRIVACY GEORGANISEERD DOOR MADISON GURKHA Your Security is Our Business omslag BHS_2014_01.indd :30

2 Spies and secure boot Job de Haas Riscure Security Lab

3 Who am I Job de Haas Principal Security Analyst at Riscure Testing security on: Set-top-boxes, mobile phones, smart cards, payment terminals, ADSL routers, VoIP modems, smart meters, airbag controllers, USB tokens, Before: Pentesting network security (since 1991) Riscure Services: Security Test Lab Product: Side Channel Tools Full range testing: detailed hardware to white-box crypto and obfuscation 2

4 Overview How we protect personal data How we trust our systems How the evil maid beats us The end 3

5 Where is our data? 4

6 Username & password 5

7 Mobile users need speed! 6

8 Patterns are easier to remember 7

9 Challenge response 8

10 Also mobile 9

11 Bypass!! 10

12 Encryption is better 11

13 Real encryption please! 12

14 Phone encryption 13

15 Full disk encryption 14

16 Overview How we protect personal data How we trust our systems How the evil maid beats us The end 15

17 It s mine! 16

18 Was it tampered with? 17

19 Was it tampered with? 18

20 19

21 Secure boot! Wikipedia: In computing, booting (or booting up) is the initialization of a computerized system. Also called: Trusted boot or Verified boot Purpose: To start a system such that it can be trusted not to be tampered with. 20

22 Secure boot everywhere 21

23 Secure boot theory Internal boot ROM KEY Verify signature Optional decrypt 1 st stage boot loader Verify signature Optional decrypt N th stage boot loader Application Verify signature Optional decrypt Root key internal Chain of trust 22

24 Secure boot challenges Internal boot ROM Who owns the key? 1 st sta How to update code? KEY Verify signature Optional decrypt boot lo How to protect the ROM? 23

25 Alternative: TPM Trusted Platform Module Forward measurements TPM PCR: Platform Configuration Registers CRTM: Core Root of Trust for Measurement 24

26 UEFI Unified Extensible Firmware Interface Replacement of legacy BIOS Advantages (Wikipedia) ability to boot from large disks (over 2 TB) with a GUID Partition Table (GPT) CPU-independent architecture CPU-independent drivers flexible pre-os environment, including network capability modular design Introduces Secure Boot + TPM 25

27 Our data is secure We protect our data with encryption and passcodes We trust our devices with secure boot and TPM All is well!!! 26

28 Overview How we protect personal data How we trust our systems How the evil maid beats us The end 27

29 How can this be? Why would an evil maid want my stuff? Attacker modelling What can she do, my device is trusted! Breaking trust How can she get it, it is encrypted! Stealing the key 28

30 Attacker modelling Access Remote Physical Time Minutes Hours Skills Script kiddie Professional State Equipment Screwdriver Custom mod chips 29

31 Grugq: attacker or target? 30

32 Hotel safe before 31

33 After 32

34 Challenge What can you do With physical access In 1 hour With professional skills Using tools for mainstream products 33

35 Stealing the key Recipe for stealing the data and the key (requires: flaw in trust): 1. Open laptop 2. (Clone the disk) 3. Insert 1 st malicious program 4. Close laptop, leave 5. Wait for owner to boot device: 6. Ask for the password 7. Decrypt the disk 8. Modify it to start a 2 nd malicious program 9. Start the operating system + 2 nd program: 10.Use network to send the key / password 11.2 nd program hides tracks or backdoor 34

36 Verify signature Optional decryp Trust in detail: ROM Internal ROM in PC: serial Flash Programmable internal and externally Internal boot ROM KEY Verify signature Optional decrypt 1 st stage boot loader 35

37 Serial Flash protection Intel provides two SPI Flash protection methods: 1. BIOS_CNTL BIOS Lock Enable BIOS Write Enable System Management Mode (SMM) protection of BIOS Write Enable 2. Protected Range Register for SPI Flash protection Must be configured on each boot 36

38 Serial Flash protection flaws Many BIOS vendors do not set BIOS Lock Enable Most BIOS vendors do not set Range Protections BIOS update routines contain vulnerabilities: SPI flash access Only BIOS Lock Enable: any SMM bug breaks security Copernicus tool shows BIOS protections 37

39 TPM Measurements Initial startup FW at CPU reset vector PCR[0 ] CRTM, UEFI Firmware, PEI/DXE [BIOS] UEFI Boot and Runtime Services, Embedded EFI OROMs SMI Handlers, Static ACPI Tables PCR[1 ] SMBIOS, ACPI Tables, Platform Configuration Data PCR[2 ] EFI Drivers from Expansion Cards [Option ROMs] PCR[3 ] [Option ROM Data and Configuration] PCR[4 ] UEFI OS Loader, UEFI Applications [MBR] PCR[5 ] EFI Variables, GUID Partition Table [MBR Partition Table] PCR[6 ] State Transitions and Wake Events PCR[7 ] UEFI Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8 ] TPM Aware OS specific hashes [NTFS Boot Sector] PCR[9 ] TPM Aware OS specific hashes [NTFS Boot Block] PCR[10] [Boot Manager] PCR[11] BitLocker Access Control From: Evil Maid Just Got Angrier, Yuriy Bulygin 38

40 Real TPM measurement From: BIOS Chronomancy: Fixing the Core Root of Trust for Measurement, John Butterworth et al 39

41 How bad is it? BIOS/FW Exploits (BH USA 07, PoC 2007, BH USA 09, DEFCON 16) BIOS/FW Rootkits (BH EU 06, BH DC 07, Phrack66) SMM Exploits (CSW 2006, Phrack65, Phrack66, BH USA 08, bugtraq, CSW 2009) Mebromi malware (U)EFI Bootkits (BH USA SaferBytes 2012 Andrea Allievi, HITB 2013) Intel/McAfee - Evil Maid Just Got Angrier (CSW 2013) Intel/McAfee A Tale of One Software Bypass of Windows 8 Secure Boot (BlackHat 2013) MITRE - Xeno Kovah, John Butterworth, Corey Kallenberg - BIOS Security (NoSuchCon 2013, BlackHat 2013, Hack.lu 2013) MITRE - Xeno Kovah - Defeating Signed BIOS Enforcement (PacSec 2013) ANSSI - Pierre Chifflier UEFI and PCI BootKist (PacSec 2013) Dragos Ruiu - Meet badbios the mysterious Mac and PC malware that jumps airgaps (#badbios) Kaspersky Lab / Absolute Software Microsoft Technical Advisory Intel Security/MITRE - All Your Boot Are Belong To Us (CanSecWest 2014) Upcoming: MITRE - Setup for Failure (Syscan 2014) From: Platform Security Assessment with CHIPSEC, Intel 40

42 What should be done? From: Platform Security Assessment with CHIPSEC, Intel 41

43 What now? More tooling: Platform Security Assessment with CHIPSEC from Intel Copernicus 2: secure measurements from MITRE UEFI Analysis Framework Subzero 42

44 More guidance NIST guidelines (also for servers) Vendor specific (pre-) boot guidelines TPM/Bitlocker best practices 43

45 Fault attacks! Even perfect code is not perfect Fault attacks manipulate the device physically Voltage glitches Clock glitches Electro Magnetic pulses Laser pulses 44

46 EM-FI Transient Probe 45

47 Research probes The EM-Probes from left to right: Probe 1, 2.3, 2.4, 2.5, 3, and 4 Probe Name Probe 1 Probe 2.3 Probe 2.4 Probe 2.5 Probe 3 Probe 4 Description Horizontal coil, 4mm diameter, ferrite core Vertical coil, 3mm diameter, no core Vertical coil, 4mm diameter, no core Vertical coil, 5mm diameter, no core Horizontal coil, 4mm diameter, EP5 ferrite core Vertical coil, 4mm diameter, ferrite core 46

48 Is it a real attack? Slot machine EMP jammer 47

49 Slot machine EMP jamming 48

50 EM FI Troopers14 19 March

51 Ideal secure device checklist All BIOS protections turned on (serial flash) BIOS enforces authenticated updates UEFI secure boot checks all signatures TPM measurements (configured with coverage) Authentication with password + removable token TPM unseals disk encryption key Full disk encryption applied with key 50

52 Parting thoughts Data security depends heavily on system trust What is your attacker model? Default system trust is low! Acceptable system trust (secure boot) is really hard 51

53 Contact: Job de Haas Principal Security Analyst Riscure Security Lab Riscure B.V. Frontier Building, Delftechpark XJ Delft The Netherlands Phone: Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA USA Phone: