2

Let's say you have a server at a data centre, but a hacker manages to find a way in and has access to your server. What are the attack possibilities with all the interfaces available?

Are there any known attack and defence mechanisms to a system once physical access has been gained?

Think about VGA, USB, Firewire, IPME and BMCs.

Running Ubuntu 16.04.

--- Edit ---

The question is a bit broad, however, I am hoping for practical answers, such as:

PCIleech: https://github.com/ufrisk/pcileech

The answer provided is not exactly what I am looking for, since the top answer is: "The attacker can do everything". I am hoping for more in-depth (practical) answers of the possibilities are of 'everything'.

Kevin C
  • 151
  • 6
  • If you are looking for a list of all possibilities, that makes this even more too broad. The point is that you have lost *all* control so there is nothing you can do to stop any one particular attack. So knowing a list of things is meaningless. – schroeder May 15 '18 at 12:42
  • If you narrowed down your question to a specific threat on interfaces, then maybe this can be answered. – schroeder May 15 '18 at 12:44
  • 1
    OP, in general you can protect in software from attacks from a variety of interfaces, with the exception of JTAG. If an attacker has access to the JTAG header or traces, they will be able to have a higher level of access than even any software can get (they will be able to halt the process or and examine or modify register states, memory, etc. They will be able to step the processor one instruction at a time and monitor the pipeline states, etc). – forest May 15 '18 at 13:36
  • 1
    Well, for that device, there’s USBGuard that can blacklist USB VID/PID sets. But if you’re in America, you’ve got some very liberal defense-of-property laws. You can check with an intelligent cop (schroeder) if you’re legally allowed to boobytrap your server room. Texas? Probably! Regardless, you want an off-grid alarm system (not GSM based, no PIR - use radar (google doppler motion sensors)) and sensors in your cage and server case. – user2497 May 15 '18 at 13:43
  • 2
    @user2497 For what device, JTAG? You can't block JTAG using software. And why do you think schroeder is a cop anyway? Also no, you cannot boobytrap your room in any state in America (assuming the boobytrap causes injury) due to the Fireman's rule. – forest May 15 '18 at 13:47
  • @forest (one variant of) PCIleech has a USB interface. OP mentions PCIleech. An intruder can’t access JTAG pins without opening server case. And as for scroeder, he has reprimanded me for saying the police is useless for... whatwasit... solving cybercrime. I extrapolated from that. It doesn’t matter. +1 for Fireman’s Rule. IS SCHROEDER NOT 5-0? – user2497 May 15 '18 at 14:04
  • @forest OP changed the focus of the question after closure. I could re-open but then I would close as being too broad (as I mentioned, asking for a list of all possible interface threats) – schroeder May 15 '18 at 14:29
  • It’s possible in practice to sniff the USB2 bus for everything, including keyboard data (but requires moderate storage capacity or very clever filters for specific traffic), since it multicasts stupidly. USB3 does not multicast. VGA is analogue. HDMI and DVI are duplex, and there are some obscure ways to interact with them - probably also retrieve screen data, or talk to other nodes. Firewire is worse, and can be used for DMA attacks, like your PCIleech link. I expect the weird thunderbolt to be just as failed a design:/ If you are worried about coldboot, carry a bootstick with you. – user2497 May 15 '18 at 17:50
  • 1
    @user2497 USB is a _unidirectional_ multicast though, so you could not sniff keyboard data. All you could sniff is data going from the computer to the keyboard, and who cares about sniffing caps light status controls? Master to slave can be sniffed, slave to master cannot. Also, you are right that police are pretty much useless for solving "cyber" crime. I agree with you there. – forest May 15 '18 at 23:18
  • @forest This is good to know, I thought USB was weird and broken when I read that misinforming article. – user2497 May 15 '18 at 23:19
  • OP, perhaps you should create a new question with a more specific focus, for example asking what the capabilities of a specific interface or interfaces are and narrow it down to a specific architecture (e.g. x86). Also note that IPMI and such are not interfaces. They use the networking card (in which case the interface would be e.g. Ethernet). – forest May 15 '18 at 23:20
  • Thanks all for the comments. I'll create separate threads for each required item. Thanks! – Kevin C May 16 '18 at 12:03

1 Answers1

0

Companies like Amazon (AWS), Microsoft (Azure) etc are all ISO XXX compliant, have strict security rules (I guess). Now neither you nor they can prevent a malicious employee who has access to the data center to harm/hack the hardware. But it can be detected...

One way I can think of defence is to encrypt the disk at rest.

The rest is in the hands of the attacker.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Kaymaz
  • 248
  • 1
  • 7
  • This really isn't an answer. The scenario is that an attacker gets physical access (not the likelihood of this happening), which makes your first paragraph moot. "The rest is in the hands of the attacker." is an anti-answer. The whole point of the question is to ask what can be done. – schroeder May 15 '18 at 11:59
  • 2
    By the way, I have walked the data center floor of an Amazon data center. ISO XXX certification is meaningless when I can pop a USB stick in a device in one of the cages, and no, it cannot be detected. – schroeder May 15 '18 at 12:02