Hacker News new | past | comments | ask | show | jobs | submit login

This isn't a blow to real security, just to DRM and treacherous computing. There's no legitimate security from "Secure" Boot.



> treacherous computing

I like it, going to hang on to this one



Evil maids?


There was this recent article (here in HN) about these "evil public charging ports that can hack your smartphone" and how there is an entire ecosystem of devices to protect against them.... when in practice no one has heard about any one single example of such evil charging port, and that in practice carrying out such attack is so target-specific and leaves so many warnings signs that the entire thing sounds implausible to say the least.

These evil maids are even more implausible than that. Has to be ridiculously targeted. If you are really targeted by such a powerful state-like entity, wouldn't it make much more sense for them to just send a NSA letter to Intel (or whatever the weakest link in your chain is, and there are plenty of extremely weak chains here, like the BIOS manufacturer) and/or backdoor the hell out of it?

Secure Boot was never about security for normal users nor security for the majority of us. This is like https://xkcd.com/1200/ all over again. At the point the attacker can write arbitrary bytes to your hard disk, its way past the point where the majority of users care.


It's not just about evil maids and physical access. Even if you did get root level RCE, you did not have access to screw with hardware security. With the UEFI keys, you suddenly have a whole new level of persistence, meaning that if you ever get pwned, you can basically throw your hardware in the trash, because even a system level wipe will not be a guaranteed way to clean malware.


If your attacker has root, and your system allows flashing the BIOS from root (many do), he can simply disable Secure Boot, or enroll one extra signature -- his. If the system doesn't allow flashing a BIOS even if an attacker has root access, then Secure Boot makes no difference whatsoever.


What does the boot rom have to do with the root user of an operating system? How does root help you disable secure boot if there is a password to change UEFI settings for instance?


At the point where you have root you basically won. You can ship user’s data elsewhere. You can install a key logger. You can empty their bank account.

But yes if the OS also let’s you change the boot ROM then you can make your root access semi-permanent.


EM isn't needfully a targeted attack: almost everyone is running x86_64

it'd just be a matter of replacing a binary with a iffy'd version that runs before any decryption happens, e.g. replacing plymouth.

This isn't hard to do in the slightest? I think even you or I could do it.

But with secureboot, replacing a binary in the loading chain isn't an option.

I don't think I could convince intel to install a bug for me.

https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.h... is a good descriptor of how it all comes together


All smartphones use ARM and USB and Android, and _even then_ the evil USB charging port is targeted -- you still have to tailor it to the target's screen ratio, Android version, Android UI/skin, even launcher if they have one, etc.

> it'd just be a matter of replacing a binary with a iffy'd version that runs before any decryption happens, e.g. replacing plymouth.

You'd at least need to imitate the UI your target is using for unlocking the disk (e.g. plymouth theme). Then, after the user types something, either virtualize the rest of the boot process (which is already extremely implausible), or otherwise reboot in a way that does not immediately cause the user to be suspicious. All of this is as targeted as it gets. A generic version would get as far as your average phishing email.

But... how do you plan to replace my bootloader in the first place? You'd need root access for that. At that point, it is already game over for the target! Why would you need to tamper with the bootloader at that point?

Or are you thinking about breaking into my house and do that in my offline computers ? How is that not a "targeted attack" ?


adding `store password somewhere` doesn't get in the way of plymouth's theming (which is separate), it doesn't change the rest of the boot process, etc etc etc etc etc, its taking an open source project, adding some lines to it, compiling, and swapping a binary out. Why would it need to any of this other stuff?

> You'd need root access for that. At that point, it is already game over for the target! Why would you need to tamper with the bootloader at that point?

Yes that is the crux of the Evil Maid attack, a drive-by install of software. e.g. at a coffeeshop while one is on the toilet, at an office, at a hotel by an evil maid, etc etc. AEM is about detecting changes in trust: if the loading sequence is changed, then the verifier (another device like a usb dongle) can't verify (since the TPM can no longer unlock the prior secret due to the chain changing).

You might want to look into the article I linked in my earlier comment to get the full idea of what is meant by evil maid


> Yes that is the crux of the Evil Maid attack, a drive-by install of software. e.g. at a coffeeshop while one is on the toilet, at an office, at a hotel by an evil maid, etc etc.

If the laptop was left online and unlocked: What do you expect to gain by installing a patched plymouth versus installing a traditional remote control software and/or keylogger ? You don't even need root for the latter!

If the laptop was left locked: do you plan to open the laptop, remove the disk, transfer some files to it (matching the same distro & version of all components your target was using, otherwise the entire thing may just crash or look different and reveal the attack), hope the target doesn't notice his laptop was literally taken apart (most laptops just can't be opened at all, for the ones which can, even mine has a simple open-circuit tamper detector...), then come back in the future _and do the same_ again to recover the captured password? And how is this not a ridiculously targeted attack?

Besides, at that point, you could simply install a wiretap on they keyboard, an attack which unlike the evil maid crap I have seen _millions_ of times in the wild (e.g. at public pinpads, card readers at gas stations, etc. ).


what’s plymouth?


https://www.freedesktop.org/wiki/Software/Plymouth/ the lil spinny that shows up as your OS loads, and the password prompt for decrypting your drives to continue booting


I agree that this is the reason, but having Intel as the guard only makes it so that it could have already been hacked/leaked/bypassed and you never know.

At least if it was user controlled we can ensure that other people's leaked keys don't bypass our security.


If it's user controlled what stops an attacker from bypassing it as the "user"? Most people just want to have a secure device and will not think about security, not want to do any work to secure their device.


So the maid swaps your keyboard instead. There is no winning in this scenario, and it certainly isn't through "Secure Boot".


Can you explain how Intel Bootguard usefully guards against evil maids?


I'm using a TPM with a Liberm Key on my laptop to defend from the Evil Maid attack. All keys are my own.


How many of us have maids? How many of those maids are evil?


"Evil maid" is a generic descriptor for any number of attacks that can be performed with physical access to a device.

https://en.wikipedia.org/wiki/Evil_maid_attack

"The name refers to the scenario where a maid could subvert a device left unattended in a hotel room – but the concept itself also applies to situations such as a device being intercepted while in transit, or taken away temporarily by airport or law enforcement personnel. "


I genuinely hate this "cute" yet condescending name. Maids are on the low skill low wage end of the spectrum. Even if there is a motive to mount a physical attack, possibly a targeted one, it will either be performed by a person impersonating a maid or with the help of an operator giving instructions. So, either an "evil" maid who is not really evil, or an evil "maid" who is not really a maid. Contrived, inaccurate and demeaning.


This seems to sell maids a little short. I'm sure maids are just as capable of being script kiddies as anyone else.


Most people don't choose low paying physically demanding jobs when they can paste together stack overflow answers.

That said, "Evil Maid" fits here because of that - they are no someone that you expect to need technical protections from but theoretically they could be a genious adversary or just hired by one.


I tend to agree with your analysis. But that is precisely my beef with the term. You seem to be saying that the term fits _because_ it describes a population that violates security expectation, _because_ it is "generally not smart, except for theoretical surprises" or "easy to hire for nefarious purpose". Neither one is very flattering, neither one equates to "evil" and neither one applies specifically to maids. A neutral term would have been an "adversary with temporary physical access" but that is not nearly as catchy.


With physical access you can simply install a keylogger, GPS tracker, and maybe something worse (malicious PCI-Express or USB device for example).


Still, how real of a threat that is for 99% of computer users?

And law enforcement will have a device to bypass most devices security


Its definitely on the high end of attacks and a bit unlikely, but i dont think its exclusively nation states. Well within the reach of thieves who want to steal your bank info or something.


> And law enforcement will have a device to bypass most devices security

What makes you say that and how is that an excuse to do nothing?


To prevent against a evil maid attack you would need to encrypt your drive

In case of a malfunction, you risk loosing all your data

Threat actors and law enforcement can bypass it

UEFI threats moving to the ESP: Introducing ESPecter bootkit https://www.welivesecurity.com/2021/10/05/uefi-threats-movin...


Pretty much all offices have them.


Do you take your laptop with you when going to a Starbucks restroom?


...Yes? Not because of the risk of evil maid attacks, but because of the risk someone will just steal it.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: