133

I’m asking the question with these conditions:

  1. The device (computer or mobile phone) is in a running state.
  2. “Momentary” refers to a reasonably short period of time, such as 5 to 10 seconds.
  3. The system may not be in a “locked” state (e.g. showing a lock screen asking for a password). However, the active session doesn’t have superuser privilege (the usual case for a mobile phone).

What can a hacker do to gain further access to the system?

forest
  • 65,613
  • 20
  • 208
  • 262
tonychow0929
  • 2,247
  • 3
  • 13
  • 14
  • 41
    [Third Law of security:](https://security.meta.stackexchange.com/a/988/55196) If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Even with limited time access, the moment a bad guy has physical access, consider it compromised. – Mast Jun 11 '18 at 12:49
  • 9
    If you mean they only have access for a short period of time, "brief" would probably be a better word to use. Instantaneous is typically a whole lot shorter than a few seconds and instantaneous access is ambiguous (and most would probably assume the other meaning, i.e. the process to gain access is instantaneous). – NotThatGuy Jun 11 '18 at 12:51
  • 8
    Well, if it's a mobile phone or a laptop, he could steal it. – Steve-O Jun 11 '18 at 18:11
  • 4
    @immibis Hence the last part of that comment. I'm perfectly aware of what's stated in the question. – Mast Jun 12 '18 at 05:58
  • 9
    A second or so may be enough to swap your phone with a lookalike in locked state. A minute or so later, when the attacker has left, you try to unlock your phone by typing your PIN into that device, which has the sole purpose of sending that PIN to the attacker ... – Hagen von Eitzen Jun 13 '18 at 20:43
  • I've recently fried my monitor by plugging a faulty (not malicious, just faulty) USB device into the monitor's USB hub, and I consider myself lucky having had the monitor as "lightning rod" instead of frying the computer. It only took half a second. Now, what could a _malicious_ person with physical access do in a few moments... – Damon Jun 15 '18 at 12:16
  • [No, it may be even useful](https://blog.office-relax.com/wp-content/uploads/sites/3/2018/02/adam-meets-god-300x139.jpg) :-) – peterh Jun 15 '18 at 23:38
  • What's your threat model? Who is the hacker, state-sponsored or a script kiddie? – Nick T Jun 16 '18 at 21:33

5 Answers5

213

That all depends on the system, the attacker, and the level of preparation they had. If they have unlimited preparation, they could do effectively anything that they could do with an unlimited access window. Even if they do not have in-depth knowledge of the specific system, it would not be difficult to very quickly inject malicious code that allows for subsequent remote access. They could:

  • Connect a PCMCIA or PCIe card and dump memory or inject code.

  • Splice a hardware keylogger in between the keyboard's PS/2 or USB cable.

  • Quickly download and execute malicious code, or modify existing code.

  • Access sensitive files and save them (e.g. with a camera or USB flash drive).

  • Physically destroy the computer (e.g. with a hammer or a power surge over USB).

  • Simply grab the system and pawn it off for a quick buck.

Time for a story. I once had a target who I would be in close proximity to for a brief period. My goal was to gain persistence on their laptop to exfiltrate sensitive documents. I knew I had only a few seconds every time they went out of sight, so I couldn't just grab their laptop and take my time. I obviously also could not steal it. Luckily, I came prepared. I had a programmable USB device that I plugged in. As soon as it was plugged in, it simulated keyboard input to open PowerShell and execute a few commands to download a payload I had set up earlier. The scenario went like this:

  1. I waited until this person had left to get something for me in another room.

  2. I leaned over on the table where the laptop was and surreptitiously plugged in the device.

  3. I waited a few seconds to be safe, unplugged it, and tried to keep a straight face.

  4. After they gave me what I asked for, I thanked them and left.

  5. When I got home, I got on my computer and connected to their machine.

It was not difficult, did not take an extensive period of preparation, and was moderately stealthy. I could have made it even more stealthy if I used something that looked like a cell phone so I could claim I was just charging the device and didn't see any other USB ports around (which would be kind of weird and suspicious, but not as much as if it looked like a flash drive). The moral is that you can do a lot with just a few seconds of access, so you must never underestimate the risk.

So how do you protect against these threats? You need to develop a threat model. Figure out who your adversary is, what assets of yours they are after, and what their resources are. If you don't want your mother to see your porn when you're at her house, you probably don't need to worry about exploits abusing corrupt EDID in a VGA or HDMI cable. If you are holding extremely valuable company secrets in a highly competitive industry (robotics, epoxy, etc) and are going to a high-risk country like France or China, you absolutely need to worry about sophisticated attacks, because industrial espionage (aka the more illicit side of "corporate intelligence") is rampant. Stay with your computer at all times in adversarial situations. Lock it if you are going out of its line of sight, and bring it with you or physically secure it in a safe if you are going to be away for a longer period.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/78894/discussion-on-answer-by-forest-is-momentary-physical-access-dangerous). – Rory Alsop Jun 14 '18 at 17:34
  • 19
    Read this on Wednesday. On Thursday the _exact same procedure_ was shown in new ep of the TV show Humans. Plug in USB, watch Powershell commands appear, exploit installed, wait a few moments for good measure, take USB out just as target returns from printer. Genius. – Lightness Races in Orbit Jun 15 '18 at 12:03
  • 5
    @forest: It was frustrating that at the time I couldn't point it out to anybody who would understand the co-incidence :) – Lightness Races in Orbit Jun 15 '18 at 13:14
  • 3
    France is high risk? Since when? – DeepS1X Jun 18 '18 at 04:09
  • 2
    @DeepS1X [One example](http://www.france24.com/en/20110104-france-industrial-espionage-economy-germany-russia-china-business) I found from searching "france industrial espionage". See also [this](http://foreignpolicy.com/2013/07/02/espionage-moi/), and [this article](https://thediplomat.com/2014/05/robert-gates-most-countries-conduct-economic-espionage/) which points France out as particularly aggressive. Or [this](https://www.cbsnews.com/news/wikileaks-france-leads-russia-china-in-industrial-spying-in-europe/). I mean, it's well known. – forest Jun 18 '18 at 04:41
  • How much of this can be mitigated by locking your computer? – Nacht Jan 15 '20 at 01:17
  • 1
    @Nacht-ReinstateMonica Depends on the attack. It will help, for sure, but won't protect against, say, DMA over eGPU (for laptops that even have that feature). – forest Mar 21 '20 at 23:42
29

I think you're also missing that there's other malicious things to be done beyond hacking. There are USB devices that can literally fry a computer. So even if they don't gain access or install dangerous software, a "few seconds" could cause thousands of dollars in damage, not to mention downtime to repair the affected systems.

Machavity
  • 3,808
  • 1
  • 14
  • 31
  • 23
    On that note, you don't even need such fancy items like a 'USB stick'. If you're going for physical damage, you could do quite a bit in a few seconds with a hammer and some determination. :P – Salmononius2 Jun 11 '18 at 14:08
  • 15
    @Salmononius2 While that's true 1. It's a lot harder to hide a hammer 2. There's no plausible deniability ("It just stopped working!") 3. For a laptop, maybe, but most server/desktop cases would take more than a "few seconds" to get through without something substantial like a sledgehammer. – Machavity Jun 11 '18 at 14:20
  • 4
    The question is about "further access" not all risks. – schroeder Jun 11 '18 at 14:58
  • 1
    @schroeder I get that, but there's risks that go beyond a simple "hack this machine in 10 seconds". This still answers the question, albeit in a way the OP didn't think of (or may not know of) – Machavity Jun 11 '18 at 15:38
  • 3
    Then this would be better as a comment to offer a tangential consideration. We try to answer the questions directly. – schroeder Jun 11 '18 at 15:55
  • Wouldn't a well-designed computer have resistors and/or fuses built into its USB ports to prevent something like this? – Vikki Jun 12 '18 at 02:00
  • 2
    Thousands of dollars? A targeted attack against an unfortunate company computer can easily cost them millions of dollars. – forest Jun 12 '18 at 03:03
  • 1
    @Sean Not really. Most integrate the USB power into other components to save money. Fry that, and you do a lot of damage to adjoining circuits in the motherboard. I mean, prior to a few years ago, who knew this would even be a viable way to wreck a computer? – Machavity Jun 12 '18 at 03:16
  • 1
    A serious set of "fumble-fingers" has plausible deniability, but is limited to physical damage and not compromise or file access etc. – Criggie Jun 12 '18 at 06:12
  • 1
    @Salmononius2 No need for that; if your objective is just to destroy that target company's property, a more effective approach with less risk of being caught would be to hide a homemade bomb in the bathroom, timed to detonate a few weeks later. Really, if you've got a highly-prepared attacker whose objective is just plain old destruction of your stuff, with no requirement to pass it off as an accident, and they're willing to risk coming armed onto your premises to carry that objective out... then the security problems you face go well beyond the realm of InfoSec. – Mark Amery Jun 12 '18 at 11:17
  • 1
    @Machavity: Yes, but now that this _is_ a well-known and viable method of computer destruction, one would expect manufacturers to start designing their products to defeat USB motherboard fryers... – Vikki Jun 12 '18 at 14:29
  • 4
    @MarkAmery That's a good way to get charged as a terrorist, not to mention get the FBI on your ass right away. It's a lot safer to simply zap someone's computer, since all they can do is complain to the cops who won't do anything simply because the value of the damaged property is so low. It's for the same reasons that stealthy assassins don't run up screaming to their victims with a battle axe. – forest Jun 15 '18 at 20:46
27

I can think of one way to prolong the physical access.

from google image search "smallest usb drive"

USB drives can be so tiny that the entire electronic portion fits under the contacts, and the tab is just so you can pull it out. You may modify one by cutting the tab off to fit stealthily inside a slot, so that the owner might not notice something's there right away. And by the time they do, who knows when or where someone may have inserted it? How often do you check your USB ports? :p

Also, many laptops have that plastic placeholder SD card to keep the lint and dust out. Do you check that often too?

And thirdly, with this stealthy approach, you may be able to manufacture a USB cable which includes a controller which acts as a normal charge/data cable but can become a man-in-the-middle for any connected devices. Or use an already existing "USB flash drive in a cable" accessory like this one:

https://www.amazon.com/Lexar-JumpDrive-128GB-Flash-Drive/dp/B012PKX1V2

user1306322
  • 916
  • 7
  • 15
  • 3
    SD cards cannot really do anything malicious. They are only seen as mass storage devices. – forest Jun 12 '18 at 03:49
  • 11
    @forest Well, some systems do automounting, which can allow for some amount of shenanigans - It's eg. easy to bring down a Linux box if you can get it to mount something you control; It's plausible for a vulnerability to exist that lets you do something more useful than just crash a system. (Sure, it requires an actual vulnerability, unlike USB where you can just pretend to be eg. a keyboard, but that doesn't make it inherently safe) – Aleksi Torhamo Jun 12 '18 at 11:09
  • 6
    @AleksiTorhamo That's quite true, and filesystem vulns are a dime a dozen, but it requires risking burning a 0day, which people are not always all that willing to do. – forest Jun 12 '18 at 11:37
  • 2
    A few years ago, I've grabbed a tiny pen drive and broke it from the shell. It was just glued, so, was easy. I've cut a cable open and replaced the internal plastic and contacts with the USB stick. This could be used too, as a curiosity, to fool a person to plug it into their system so they believe it is, indeed, a fully working pendrive. In this time, you can have an autoexecutable there, which does it's tiny thingy to simply download a much larger payload. – Ismael Miguel Jun 12 '18 at 15:08
  • 8
    @forest: If your security depends on an assumption that SD cards are only mass storage, game over: https://en.wikipedia.org/wiki/Secure_Digital#SDIO_cards – Ben Voigt Jun 13 '18 at 01:46
  • 1
    @BenVoigt Is SDIO even supported by modern kernels, though? – forest Jun 13 '18 at 01:53
  • 3
    @forest Yes on certain devices. The bigger issue with using it as an attachment Vector is that it needs hardware support in the SD controller, which is not widespread. – Austin Hemmelgarn Jun 13 '18 at 14:07
  • 3
    SD cards can even act as WLAN device, e.g. https://www.toshiba-memory.com/products/toshiba-wireless-sd-cards-flashair-w-04/ – Wernfried Domscheit Jun 14 '18 at 08:52
  • 1
    @WernfriedDomscheit Is a WLAN device inherently dangerous? – curiousguy Jun 15 '18 at 12:29
  • 2
    Of course not but I liked contradicting wrong statement "SD's are only seen as mass storage devices" – Wernfried Domscheit Jun 15 '18 at 12:34
  • 2
    @WernfriedDomscheit While specialized drivers and hardware may allow them to behave as more than just mass storage devices, I am under the impression that that is quite uncommon and the _vast majority_ of consumer laptops will not see an SD card as anything other than a storage device. – forest Jun 15 '18 at 20:43
  • 1
    Keep in mind that even SD cards appearing as mass storage devices may have significant extra functionality. It's [not hard to reprogram their microcontrollers](https://www.bunniestudios.com/blog/?page_id=3592) and of course an attacker willing to spend more than a few dollars can build one with arbitrary functionality. – cjs Jun 17 '18 at 00:57
  • 2
    The best part about this attack vector is that it would likely be extraordinarily vexing to get the %%#$ thing out! – Nonny Moose Jun 17 '18 at 16:22
  • 2
    @NonnyMoose pro tip just for you: heat up a metal pin with a lighter, stick it into the plastic of the stuck USB rectangle, let it melt into it and cool down to solidify, then pull it out by the pin :) – user1306322 Jun 17 '18 at 18:57
4

If someone was prepared to compromise computers quickly, it would be quite easy to accomplish this:

  1. Create custom exploit payloads for most common operating systems (Windows / Linux / Mac OS X). Something very basic like a remote shell that communicates through HTTP client would be sufficient. Being custom-built, it is unlikely that antivirus programs would detect it, though you can always check beforehand and modify as needed.

  2. Prepare commands that will download your exploit and run it. Something like wget ...; chmod +x ...; ./.... Have some innocent looking webpage where these commands are easily copyable, e.g. hidden in some small text box.

  3. Ask to use the victim's web browser for a moment. Navigate to your page, copy the command to clipboard, quickly press Alt-F2 or Win-R to bring up the Run dialog, Ctrl-V to paste your commands and Enter to run them, Win-Down to minimize the command prompt.

Done well, the three key combinations take less than a second of time, after which the exploit has time to download itself in the background. Sure, this only gains you user-level privileges, but most important data is handled by the user anyway. For example passwords can be stolen without admin privileges.

On mobile phones, the same method doesn't work as they usually don't allow installing code from unknown sources by default. On PC's, at best you have some slowdowns like firewalls asking for confirmation.

jpa
  • 950
  • 6
  • 11
1

A number of devices can be exceedingly dangerous in moments (seen from a physical or security perspective).

For example, firewire provides direct access to RAM, so a malicious FireWire device could be plugged in and grab(or change) specific RAM contents in moments, if enabled. Other devices may also enable/employ DMA for malicious purposes via external ports, now or in future.

Many attacks exist with USB. As well as in-line devices, keyloggers, and electrical disruptors already mentioned, there are devices that masquerade as other devices (a device that looks like a flash drive but contains a virtual keyboard, code that autoruns on the host, or additional devices such as hidden WiFi that bridges airgaps and allows other attacks.

In-line intercepts exist for monitor cables, allowing a third party to see the monitor's display.

Severe attacks could include dumping ram containing sensitive content (including OS or ring-0 protected encryption keys according to research), flashing ordinary as well as firmware based rootkits, breaching hypervisors (especially if autorun on the host), and anything else that can be done within a couple of seconds by malware that has complete access to a system.

Stilez
  • 1,674
  • 8
  • 14