43

I am interested in cost effective and creative ideas for detecting physical attacks against computer systems. This includes, but is not limited to Tamper Evident security measures.

Consider the following attack scenario: An attacker would like to obtain data from a harddrive. The target machine is setup with Full Disk Encryption, a bios password is set and the boot priority states that the encrypted drive is the first device to be booted.

The passphrase must be typed in order decrypt the drive and boot the machine. A Hardware Keylogger could be installed to obtain this value. Some full disk encryption implementations can be defeated with Bus Sniffing, however in order to carry out this attack the computer case must be opened. In either attack, after a period of time the attacker can return and collect the harddrive and intercepted passphrase.

How can you detect if your computer case has been opened? How can you thwart the use of a hardware keylogger?

Also here is a great talk on Bypassing Tamper Evident Devices.

Edit: The state of modern physical security is incredibly poor. Literally every door lock available at my local Walmart can be picked in seconds. Most homes in the US are still using pin tumbler locks that originally invented by the Egyptians thousands of years ago.

rook
  • 47,004
  • 10
  • 94
  • 182

7 Answers7

20

The problem with trying to detect these attacks is that their common target - desktop workstations - largely goes unobserved for most of its life. Even if it actually sits on the desktop, users rarely pay attention to it except to push the power button, insert/remove removable media, or plug/un-plug accessories - all of which generally can be done from the front of the system, while the simplest way to hide these attacks is to plug into the rear. You could perhaps mandate that all desktops be kept actually on the desktop, and have all peripherals plugged into front-facing ports, but that almost certainly won't gain good user acceptance.

There probably is no easy way to thwart a hardware keylogger, except to regularly check your peripheral connections. You can include this in your end-user training, but it's unlikely to ever actually be done by them and it increases the probability that they'll have to call for help when they've inadvertently unplugged something essential in the process. A better method, if there must be one, may be to have a team of technicians perform regular hardware inspections.

The easiest and most cost-effective way to detect breaches into the computer case itself would be to use stickers akin to the ones OEMs use for warranty validation. Of course, this would require that you regularly check said sticker to verify it hasn't been tampered with. Again, this is not something that would be well accepted or implemented by the end-user. So, it will be up to your technicians to regularly inspect their systems. You'll also have to make sure that said technicians have access to the stickers so that they can apply new ones whenever they service the systems, but then we wander into the possibility of insider attacks.

Alternately, some cases and motherboards support hardware-based monitors which can alert you at boot-time if the case was opened since the last power-on. These may or may not be easily circumvented (i.e.: Attacker covers his track by power-cycling the system to dismiss the alert before the victim uses it again.) depending on design, and again may still be vulnerable to insider threats.

Iszi
  • 27,027
  • 18
  • 99
  • 163
12

The problem with physical security is this:

If the attacker has physical access to the machine, then there is no security.

Unfortunately, there is very little that can be done about it for a end-user workstation. Where I work, we use workstations that really are desktops. So placing a security sticker on the case in front in plain sight of the end-user is easy. Case intrusion systems can send an alert if the case was opened, but those can also be countered as well. The best security solution that I can think of is four fold.

  1. Physical access controls to the location where the computers are kept. Employees who are authorized to work in that location can use either a RFID card or some magnetic stripe or barcode on their ID badge to gain access through a locked door. This allows the accesses to the location to be audited on a per employee basis.

  2. Force the users to use two factor authentication: Something that you know with something that you have. There are several solutions on the market for this. One example being the widely popular RSA SecurID tokens.

  3. Do not store sensitive data on the end-user machines. Only store it on the server. Enforce data security using network access controls.

  4. Educate your users.

An interesting effect of #1 is that if a user logs into a computer at a location in which there is no record of them accessing the location, that discrepancy can be flagged for review. Also, configure a solution that displays, prominently, upon login the last time they logged in and the duration of the login. Unix machines do this already, but I have not seen this with Windows machines.

For servers, machines are usually stored in a back room somewhere. Instead of using a key to enter a locked server room, use the method for #1. That way, access is restricted to the room, access audits can be performed, and if someone is let go for some reason, you can remove them from the access system and not worry about them having made a duplicate key to the room.

As a side note, I would like to mention that a if a sufficiently motivated attacker gained access to a computer and removed the hard disk, not even a hardware password for the harddisk will stop them from gaining access to the data stored on the drive. I read somewhere awhile back that the drive itself stores the encryption key, in the clear mind you, on the disk platters in a location that the user cannot access. However, an attacker can open the drive and read the key directly and thereby decrypt the whole drive.

In the end, a sufficiently motivated attacker cannot be stopped short of arresting and prosecuting them when it comes to physical security. Or dragging them out and shooting them...twice for good measure.

Daniel Rudy
  • 333
  • 2
  • 6
  • I do not agree with your statement. Fact is that law enforcement have a big time problem with computers (and mobile devices) that are protected with full disk encryption, yet having full access to these devices. – user258572 Jan 19 '18 at 22:10
  • I would imagine so. Look at the date of my answer. A lot has changed in 5 years since the Snowden revelations. In 2013, cryptography wasn't in as widespread use as it is now. Besides, I agree with your assessment though. The answer is correct at the time that it was posted. – Daniel Rudy Feb 18 '18 at 23:44
12

Here is a generic attack which defeats most of the (otherwise good) ideas which are exposed here:

The attacker buys a PC case which looks like the target system. Inside, he puts a system which presents the same login screen as the target system, at the time when it asks for the unlocking password. But as soon as the user enters his password, the system sends the password across the network (possibly wireless) then commits suicide (e.g. it detonates some fireworks to simulate a failing chemical condenser, then goes to a blank screen). The attacker then just has to purloin the complete computer and put his imitation in its place. Sure, this will be discovered, but that will be too late: the attacker already has the hard disk and the unlock password.

(A cheaper and easier similar attack is to replace the keyboard with a replica which looks the same and works the same, but also includes the keylogger.)

Of course this attack cannot be necessarily applied, but because of contextual elements; e.g. the computer is in a public place and there is no way someone could discreetly get away with a full computer case under his arm (unless disguised as some sort of IT operator, with jeans and unkempt beard, in which case this can probably be pulled off). This highlights the importance of the environment.

On a similar note, keylogging can be done remotely. For instance, a camera could be glued by the attacker on the ceiling, with a full view of the keyboard. This is done a lot with ATM and similar devices (e.g. 24/7 gas pumps) so the cameras and the know-how for their discreet installation are already widespread. This example shows that what matters is not the integrity of the computer, but the integrity of the complete environment where secret data is used, where the "secret data" here includes the user's password.


Generically, prevention of attacks such as the one you explain can occur in three ways:

  1. The attacker is prevented from altering the physical integrity of the computer, e.g. by not being able to reach it. Example: a locked case around the computer.

  2. A system is in place which guarantees, with strong probability, that the attacker will be identified (reliably, and promptly) if he tries his attack. This is a psychological deterrent (this may make the attack "not worth it" for the attacker). Example: security cameras.

  3. Assuming that the attack took place, you can detect it at the last minute, right before entering the target password.

Tamper-evident systems concentrate on the third method, but that's a last resort: these system do any good only if the methods at the first two levels failed. In that sense, efforts should first be applied on the two other levels.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 1
    Your "generic attack" can be trivially defeated using mutual authentication, e.g. with [MARK](https://www1.cs.fau.de/filepool/projects/mark/index.html). – forest Jul 16 '18 at 06:49
7

I had a Dell computer at one time that would notify me any time the case had been opened. Resetting the notification was done in the BIOS. Probably something similar to a computer case intrusion detection system.

Something like tamper evident tape might work (like the one pictured below).

tamper evident tape

mikeazo
  • 2,827
  • 13
  • 29
  • (+1) Oah so just pull out the battery and restart the machine twice. Also tamper evident tape has problems, you should see video I posted at the end of my answer. – rook Jan 03 '12 at 20:12
  • 5
    @mikeazo - How about we save the 300% markup on red scotch tape and just use a red marker and leftover scotch tape from the holidays. – Ramhound Jan 03 '12 at 20:13
  • 1
    Pulling out the battery would reset the BIOS password which would make the tampering detectable as surely the attacker couldn't put your old password back on the BIOS. Interesting video though. – mikeazo Jan 03 '12 at 20:14
  • @Rook - As you might know. Good security is a combination of factors. Of course once somebody has physical access to your machine there isn't much you can do. – Ramhound Jan 03 '12 at 20:17
  • @mikeazo passwords wtf? I am talking about the computer case IDS... – rook Jan 03 '12 at 20:26
  • @Ramhound Okay, how do you keep that from happening when every door lock you can buy at Walmart can picked in seconds. – rook Jan 03 '12 at 20:29
  • 1
    @Rook, When you suggested pulling out the batter and restarting the machine twice I was assuming you meant the computer batter, and that that would reset the bios flag which says the case has been tampered with. I was suggesting that doing that would also reset the bios password which the user could detect. I.e., covering tracks in one way leaves other tracks. – mikeazo Jan 03 '12 at 21:02
  • 2
    The problem with tamper resistant tape is that nobody actually checks behind their PC to see if it's broken before they type their password in. Which of course opens the door to all sorts of other attacks, such as inserting a USB drive, hardware keylogger, etc etc. – mpontillo Jan 04 '12 at 00:41
  • @Ramhound It is true that physical access can overcome a number of security measures. However, this thread is about *detecting* attacks - not *preventing* them. – Iszi Jan 04 '12 at 14:24
  • 2
    @Rook - I would start by NOT buying locks from Walmart. – Ramhound Jan 04 '12 at 15:15
  • @Mike - You can always place the tape on all 4 corners. Of course your looking at ugly tape. – Ramhound Jan 04 '12 at 15:17
  • 1
    @Ramhound Is that seriously all tamper-evident tape is? Coloured ink on the back of same-coloured tape? In my line of work we see these all the time, but I've never considered how they are made. – logicalscope Jan 06 '12 at 23:27
  • 2
    @logicalscope There's a bit more to it if you buy the proper stuff. The cheap junk is pretty much just printing ink on the sticky side of coloured packing tape, which can be defeated with detergent or heat. The good stuff uses multi-layer tape, with a pattern cut into the top layer, and perforations cut into the lower layer. The top layer is covered in a low-strength adhesive. The lower layer is coloured and uses a much stronger adhesive. As you pull the tape off, the top layer comes off but the bottom layer stays stuck to the surface. – Polynomial Jul 16 '12 at 09:18
  • 3
    The top grade stuff has small zig-zag shaped tear-foil strips inside, which destroy the top layer when you pull it off, and leave bits of foil stuck to the surface. They're near impossible to remove, and leave lumps if you try to apply another strip over the top. Even better, most of the foil is UV reflective, so you can identify that the tape is undisturbed by shining a UV light on it and looking for even zig-zag lines. – Polynomial Jul 16 '12 at 09:21
2

All defence against physical access requires you to use physical security. The only physical security I can think of is determining a way for you to determine when something has been tampered with. If you've established this you know not to provide the key to your software security solution.

One thing I found interesting about that video you linked to is he doesn't address any tamper-evident solutions that would remain unknown. Consider how steganography works - the principle is you hide your safety mechanism. Think how perfect a tamper-evident tool would be if after tampering with your equipment, the attacker had no idea you would be able to tell. You might even be able to recover their hardware and determine who the perpetrator was.

Perhaps something like putting a human hair across a seal.

deed02392
  • 4,058
  • 1
  • 20
  • 20
2

Is the computer system you talk about a workstation or a server ? The requirements for each one seem greatly different.

Regarding workstations, I think that laptops offers greater security than desktops. The keyboard being a physical part of the computer, plugging a key logger becomes a much more difficult task (however this does not protect against Tempest-like sniffing). Moreover, during out of office hours, the computer can be taken by the employee reducing the risk of malicious access (they can either be brought at home, but this requires a strong involvement from the users in the company's security policy, or stored in a safe in the company office).

For servers, since they need to remain up and running even while there is no one physically present in the server's room, I think that securing the servers leads to securing the room: badge access, presence detectors, surveillance camera. However, the fact that a server needs to remain up and running is also a strength since, would you have a thoughtful audit system, a server reboot or disconnection (or other kind of unusual behavior, hardware changes, usb key or media insertion, etc.) should leave evidences not easy to tamper with (ie. not stored in the same room...).

Sadly 100% security does not exists. But, while I read you talk about "cost effective and creative ideas for detecting physical attacks against computer", this reminds me of this funny technique in a movie where the "hacker" turned the wheels of his desktop chair in a certain position when leaving his apartment to detect any move of this chair during his absence (=> someone accessed his desktop and, most likely, his computer).

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • @Daniel Rudy: "I read somewhere awhile back that the drive itself stores the encryption key, in the clear mind you": I think you think about hard disk password merely than hard disk encryption. With hard disk password, there is no encryption, but a password indeed stored as you described and the hard disk controller blocking any unauthorized access. With hard disk encryption, the security fully relies on the encryption software used, but hopefully the password is not stored anywhere otherwise it would be called a backdoor. – WhiteWinterWolf Nov 03 '13 at 12:47
  • Actually, I do mean whole disk encryption. The key is stored in the clear on the HD. I think it's so recovery can be performed if the key was forgotten. But short of opening the drive and taking the platters out, there is no way to recover that key. The same thing with the HD password that you mentioned. – Daniel Rudy Jul 29 '21 at 00:43
2

I think you're possibly aiming too high-tech.

Detecting attacks from outsiders:

Any physical security measure that relies on visual inspection after the fact is flawed.

An attacker can (with enough effort) produce a system that is visually indistinguishable from your current one, but is acting as a proxy to the real system (unopened, untampered) they have stored somewhere else (while monitoring all the communication).

So: the strongest (in fact, I would argue the only complete) method of physical protection for a computer is supervision - CCTV records, access control and security patrols. You then have the problem of securing your CCTV system from physical attacks - but this is (I assume) a problem that CCTV systems already tackle to some degree or another, at least in terms of detection.

Of course, once you have such a system, then you can make the problem of replicating the system (or altering it without leaving a trace) harder, by methods such as tamper-tape.

Detecting attacks from insiders:

Obviously, access control won't help you if your attacker is an insider to the organisation.

CCTV and security patrols will still be helpful, though. Ensuring that people in the organisation can always see roughly what other people are doing will help them self-police ("What's Jane doing to her computer?").

Regularly inspecting or even swapping-out cheap externals (e.g. keyboards/mice) would force any physical attack to happen to the larger components (e.g. computer tower), which would hopefully be more noticeable (and tamper-tape, etc. would also help you here). For a small organisation, selling all your old monitors on eBay and buying new ones might not cost that much (especially if you're also getting those ones second-hand).

A physical attack probably isn't the vector of choice for an "insider" anyway - unless we're talking about a server that they aren't meant to have access to (at which point, the "outsider" situation applies).

cloudfeet
  • 2,538
  • 17
  • 22