41

Let's say you're in a public café, or conference, where you trust your device won't be stolen if you go to the bathroom for 5 minutes, but you don't trust it might not be tampered with.

What are the potential security risks I might run into here, assuming I lock/log off my laptop's (windows / mac / linux) user session, maybe even turn it off?

Zee
  • 529
  • 1
  • 4
  • 7
  • 23
    Depending on the device and it's setup security, it may take seconds to be compromised or it may not be at all. Your question is too general. – Overmind Dec 31 '19 at 13:53
  • 2
    @Overmind is it really too general? I'm welcome to suggestions on how exactly to make it more exact, but I feel it instantly becomes too specific if I do that. There are many similar "general" questions like this one about on Sec SE (such as public Wifi risks, connecting pendrives to a device risks, etc..), yet I could not find any one of them with this exact scenario. The answer might need to be a bit elaborate, but considering it "too general" feels like an inaccurate judgement – Zee Dec 31 '19 at 13:59
  • 7
    Related, possible duplicate: [Is momentary physical access dangerous?](https://security.stackexchange.com/questions/187515/is-momentary-physical-access-dangerous) – forest Jan 01 '20 at 11:59
  • 3
    Relevant: https://en.m.wikipedia.org/wiki/Evil_maid_attack – Sam Weaver Jan 01 '20 at 19:13
  • 5
    So why do you assume your device is safe from theft? It might be sufficiently nicer than someone else's that they fail to resist temptation. Or maybe security will spot it, take it and 'render it safe' in case it contains an explosive device. – houninym Jan 02 '20 at 09:14
  • https://github.com/axi0mX/ipwndfu .. https://checkm8.info ... https://blog.trailofbits.com/2019/09/27/tethered-jailbreaks-are-back/ –  Jan 02 '20 at 12:48
  • 3
    Do you consider data loss as a vulnerability? If yes, then a well placed hammer blow takes considerably less time than a bathroom break. – MonkeyZeus Jan 02 '20 at 14:11
  • 1
    Depends. If the conference in question is [DEF CON](https://en.wikipedia.org/wiki/DEF_CON), the question is more "how many different ways will it be hacked?" – Mark Jan 03 '20 at 00:31

9 Answers9

60

Everything

I reference the 10 immutable laws of security, especially #3:

If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Of course a computer sitting unattended at a coffee shop for 5 minutes isn't going to be as vulnerable as a computer that spends a year at NSA headquarters, but you would be surprised how quickly someone with physical access can cause trouble.

This is a bit broad and I'd like to avoid a book for an answer, so I'm going to just focus on one class of attacks that most consumer laptops are vulnerable to: USB-based attacks. USB is fun because a USB port can be used for almost anything. This has lead to the classic form of an evil maid attack, whereby an attacker simply plugs a device into your USB port that promptly owns your computer. This can take a number forms, but I'll list just a few:

  1. The USB device pretends to be a keyboard and attempts to inject commands into your machine (possibly starting with a bruteforce of your lock screen)
  2. The USB device pretends to be a high-priority network adapter, injecting long-living DNS rules into your networking setup, effectively implementing a permanent MitM attack on target websites for your machine (because of how network devices work this is typically possible even for locked computers)
  3. The USB device charges a bank of capacitors from your power supply and then sends a high voltage charge back, instantly frying your entire laptop.

Here is a longer list, but since this is an entire class of attacks options will change and google is your best bet here. Many of these attacks require a device to be plugged in for just seconds. They can leave your computer completely compromised or just plain dead (aka the most effective DoS). Is this likely? Probably not. Is it possible though? Absolutely, with little effort, so long as someone is walking around with a device in their pocket.

Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • 54
    Number 3 is a little silly. Someone could also smash it with a hammer. or drop it. "Laptops vulnerable to potential energy attack!". – Steve Sether Dec 31 '19 at 15:14
  • 46
    @SteveSether lol, valid point. However, those things are fairly obvious in a coffee shop. I can virtually guarantee you that somewhere out there is a kid walking around with a USB killer in his pocket, just looking for an unattended laptop to plug it into "for the lolz". – Conor Mancone Dec 31 '19 at 15:20
  • 3
    My point is more that it's fairly obvious that someone could physically destroy your laptop with physical access. Does that method really matter? You could also drill a tiny hole in the right spot and it wouldn't be immediately obvious someone did it. – Steve Sether Dec 31 '19 at 15:25
  • 20
    @SteveSether I don't disagree, but if I'm going to make a list of potential attacks through a USB port, I think that I would be remiss if I left off the USB Killer. – Conor Mancone Dec 31 '19 at 16:14
  • 18
    re: 1.: Why the brute force? simply wait 10 minutes, until the guy owning the laptop has unlocked it. Then, distract him, and let the malicious keyboard emulator execute whatever they want. Such an emulator can be small enough to fit *inside* your USB port, so that you wouldn't even see it. – Marcus Müller Dec 31 '19 at 22:18
  • 1
    @SteveSether Is it that obvious? Sure, once it's pointed out everyone has a "duh" moment, but if you actually ran a survey asking participants to list potential avenues of attack, would you actually get many responses that include physical DOS attacks? The existence of questions such as this suggest that it's not obvious to everyone. – 8bittree Dec 31 '19 at 23:34
  • 9
    @SteveSether & others who derided the USB killer attack -> There ARE people who think it is 'cool' to use these sorts of devices. Also people who would perhaps like to axe-attack, incinerate, defenstrate or otherwise destroy your property. HOWEVER, of all these the USB killer attack is (usually) silent, rapid, inobvious and fatal. It MAY be able to be implemented entirely covertly in seconds. -> Sit at table opposite or near laptop. Slide hand with USB killer in into nearest USB port. Cycle. Leave. The device could be precharged - making killing time somewhere under a second insert to removal. – Russell McMahon Jan 01 '20 at 07:13
  • 5
    @SteveSether: In a cafeteria at a conference, or a coffee shop, what are the chances of someone calling security, (or remembering a face when police look for witnesses) if 1. someone with a hammer or portable drill physically destroys an unattended laptop: very high 2. someone sits down near an unattended laptop, then plugs something into it: a lot lower. Especially if you're subtle and/or wait some time between sitting down and plugging something in so people forget it wasn't your laptop. – Peter Cordes Jan 01 '20 at 10:19
  • @SteveSether If you allow me to nitpick in order to be precise, a laptop that succumbs to a hammer is not vulnerable to *potential* energy attack. It is vulnerable to **kynetic** energy attacks. – Mindwin Remember Monica Jan 02 '20 at 18:45
  • 1
    @RussellMcMahon There's potentially hundreds of ways you could destroy a laptop and not have it be immediately obvious Many of which are cheaper, easier, and require even less technical knowledge that "USB killer". For instance, you could spray acid inside the thing with a small syringe, and have it slowly eat away at the internal circuitry over a matter of days. It wouldn't be too hard to conceal this. I think this is all covered under the assumption we all have that "someone with physical access to something could destroy it." – Steve Sether Jan 02 '20 at 19:07
  • I agree with the gist of your answer, but here is some nitpicking. #1 won't work unless it will constantly try, which will be seen by the user. #2 can be blocked with software such as Penteract disguised keyboard detector (which will also alert the user to #1 when they log back on). #3 was mentioned in other comments. – User42 Jan 02 '20 at 21:45
  • 1
    @SteveSether It's always possible to argue for any point of view. I've not heard of acid syringe attacks, bulraian umbrellas or stilletos being used to hopefully covertly destroy computers. It may well happen. Occasionally. USB killers are, alas, "a thing" that has attracted attention of the ungodly. [Garglabet claims 383,000 results for USB killer.](https://www.google.com/search?q=%22usb+killer%22&rlz=1C1CHBF_enNZ834NZ839&oq=%22usb+killer%22&aqs=chrome.0.69i59j0l7.4046j0j4&sourceid=chrome&ie=UTF-8) and here is [usbkill.com](https://usbkill.com/) and [here](https://wiki2.org/en/USB_Killer) ... – Russell McMahon Jan 03 '20 at 03:20
  • 1
    ... is Wikipedia's entry. And [here](https://www.theverge.com/2019/4/17/18412427/college-saint-rose-student-guilty-usb-killer-destroyed-computers) is a real world example of numerous computers being destroyed y such a device. || || It seems strange to me that people will argue so strenuously about a post describing such devices and demonstrating that they are a genuine real world threat. If this is not of concern to the OP and others then that's fine, nothing to see here, move along. Odds are, more than one reader has found this information useful. – Russell McMahon Jan 03 '20 at 03:28
  • @RussellMcMahon You seem to misunderstand. I don't disagree that some idiot could destroy your laptop with a USB killer, or that jackasses have actually done this. I just argue that it's obvious someone could destroy your laptop with physical access, and it's already well understood, obvious, and not worth mentioning. – Steve Sether Jan 03 '20 at 03:58
  • USB killer: could be achieved also by a cup of coffee or an innocent push of the device of the table for most purposes. USB network adapter: not sure about linux, but the windows company laptop I got does not accept USB devices while locked. Brute forcing the lock screen: you will exceed the amount of domain login so quickly that the person will notice something is wrong. A realistic attack mode for me would be to insert a "keyboard/mouse" which waits until the laptop is unlocked (hmm. that is actually the difficult part....) and then downloads malware – Sascha Jan 03 '20 at 05:04
  • 1
    @Sascha The "USB killer" (or functionally similar device inserted into any other port - eg firewire headphone jack, ...) needs only the ability to be physically plugged in. Being It is not relevant to it that the device is locked. Unlike a cup of coffee or push off the table or other externally destructive attack it can be completely inobvious to observers that an attack has been made or that damage has been done. Attack time can be under one second. – Russell McMahon Jan 03 '20 at 06:14
  • @RussellMcMahon: Yes, but if somebody is watching you using something like this would take the level from an explainable unlucky event to criminal behavior. – Sascha Jan 03 '20 at 06:55
  • I feel maybe the examples distract from the real lesson to take away from the rule: you don't leave your devices unattended, ever. "Everything" puts it well, you simply don't know *who* can do *what*, nor why or in how much time. One can muster ways to mitigate attacks, but the only real way to prevent tampering with your device is to take it to the loo with you. At least I think it would be useful to have that figure explicitly. – AmiralPatate Jan 03 '20 at 10:57
  • 1
    @Sascha Step back and consider this in the context of the original question. "If someone is watching you ..." It's a coffee house etc. Just about every other exploit, attack, .... here will take time and up-close-and-personal interaction with the user's device. Whether an axe attack, or whatever security exploit. The cool kid who sits down next to the device and surreptitiously brushes his hand against it for about 1 second (literally) to up his score is about as covert and undetectable as you are going to get. An EMP attack may be less so, if you can conceal the EMP generator :-). – Russell McMahon Jan 03 '20 at 11:11
  • This #3 rule is silly. It all depends on the system - an unecrypted laptop is different from an iPhone correctly configured. – WoJ Jan 03 '20 at 15:07
  • 1
    Mildly OT, but I would expect a machine that spent *an entire year* at NSA to, like, hover ominously a few meters behind me everywhere I go, always hiding behind the closest corner, making noises just perceptible enough for me to think I heard something... again??? – i336_ Jan 03 '20 at 15:46
14

The two answers so far have focused on inserting a USB device in the laptop. I'd be more concerned about inserting a PCI(e), firewire, or similar device with direct bus access into an expansion slot of the laptop. While USB doesn't have direct access to memory, various expansion cards do and can read/write directly to memory without going through the CPU. More information available from Wikipedia

That means it's possible for someone to read and write the entire contents of your memory directly by inserting a rogue expansion card in your computer.

I'll add that this is relatively unlikely, unless you're being targeted by an intelligence agency, or maybe highly organized criminals going after you personally. I don't know that a piece of hardware like this is commercially available.

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
  • 6
    Not many laptops these days have firewire with unrestricted DMA; PCIe over thunderbolt, I think, is restricted by default until the OS tells the thunderbolt PCIe switch to do its thing. Leaves us with ExpressCard as the attack vector! – Marcus Müller Dec 31 '19 at 22:20
  • @Steve Give me access to ground and one somewhat-isolated-from-ground connection and (should I wish it (I don't)) your device is toast. If you can get high energy and voltage into any node connecting to "silicon" that is not isolated and clamped by design to withstand an immense energy surge then, once it gets a foothold in an IC that is loosely connected by power supply rails and buses and .... , the energy is liable to end up 'anywhere'. || eg only - USB +5V and -ve. -ve essentially ground (probably). ... – Russell McMahon Jan 01 '20 at 08:22
  • ... 5V MAY be isolated from other supplies but PROBABLY connects to a 5V supply serving other areas. - possibly via filtering and probably via electronics (handshake, current limit, ...). Apply say 2 kV at as many Joules as I care to carry and the chances of a system not designed to resist resisting is small. – Russell McMahon Jan 01 '20 at 08:22
  • @MarcusMüller For Windows 7 at least, Firewire DMA is disabled when the lock screen is active. I'm not sure about other external DMA-capable devices. Of course, if you can open the laptop quickly, PCIe hotplugging will let you get access to most system memory, assuming DMAR is not configured (not sure if Windows configures it by default. I think MacOS does, but not very well, and Linux only if you tell it to). – forest Jan 01 '20 at 12:11
  • Small nitpick for this answer, but PCI (as opposed to PCIe) does not support hotplugging unless you're using server motherboards with special hardware, so even if you did find a laptop with PCI, you wouldn't have to worry about hotplugging as a vector for DMA attack. And yes, hardware like this is commercially available (but it's probably better to build it yourself, which isn't _that_ hard... just buy a cheap PCIe FPGA and [program it to do DMA reads](http://xillybus.com/) and dump that over USB or even serial, if you have the time). – forest Jan 01 '20 at 12:13
  • USB 4.0 will allow DMA like Thunderbolt/Firewire... – schlenk Jan 01 '20 at 20:40
  • @forest Where can you buy such a device to copy the whole memory of the laptop? – Steve Sether Jan 02 '20 at 15:17
  • @RussellMcMahon A similar result can be achieved with a technology invented 1 million years ago. It's called a rock. – Steve Sether Jan 02 '20 at 15:32
  • @SteveSether Look for any FPGA PCIe card. You'll be able to use a PCIe IP core. It's not a simple "anyone can use it plug-n-play". You need to tailor it to your target, or at least to their OS and version. There are easy plug-n-play ones but I believe they are sold at extremely marked up prices to law enforcement (since they rarely have the skills to do it themselves). For an academic example (actually, one of the first), look up the paper on "Tribble" (yes, as in "Trouble with Tribbles" from Star Trek). – forest Jan 03 '20 at 08:44
  • @SteveSether Know that the majority of modern operating systems block DMA attacks with DMAR, though there are often ways around it (e.g. https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-1_Markettos_paper.pdf). – forest Jan 03 '20 at 09:15
11

Most laptops have provision for booting from an USB disk. If this is not blocked at BIOS level, an attacker could boot on their system disk, and then mount your physical disks and do whatever they want (read/write). This a the standard way to (re-)install a system.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • 9
    That's a good reason to encrypt any partitions that might have sensitive data on them, btw. – Jeremy Friesner Jan 01 '20 at 00:30
  • 2
    In the time it takes you to pee? If so you need a doctor, not security advice – George M Reinstate Monica Jan 03 '20 at 01:24
  • No. they can't if the drive is encrypted. – Sascha Jan 03 '20 at 04:55
  • Encryption is indeed a nice protection at rest on a *confidential* point on view. On an *availability* point of view it is terrible: just overwriting some sectors on an encrypted partition irremediably destroys the whole partition data. So yes with encryption, an attacker can destroys all your data in the time it takes you to pee... – Serge Ballesta Jan 03 '20 at 07:04
  • @SergeBallesta: yes, but he is probably unable to "mount your physical disks and do whatever they want (read/write)". Just being able to destroy the disk is not the same as doing whatever you want. (and btw, most company laptops have tthe "Boot from USB" option blocked.) – Sascha Jan 03 '20 at 13:49
  • Disk encryption does not necessarily protect against this type of attack. The encryption key is still present in RAM when locking/sleeping the computer, so the USB device could contain software to find the encryption key in RAM. Turning off the device is not enough to prevent this attack as RAM will not immediately loose it's data when power is lost. (To be honest, I don't know if modern OSs have mitigated this by overwriting the encryption key from RAM at sleep/lock time, but I haven't heard of it yet) – Pete Jan 03 '20 at 16:17
  • Even if it is blocked at the BIOS level, they can just remove the hard drive and plug it into another computer. – jiggunjer Jan 03 '20 at 16:22
  • @GeorgeMReinstateMonica there's other things you can do in the bathroom besides peeing – SunshineToast Jan 13 '20 at 22:12
  • Did you read the question SunshineT? there's not much else you can do in less than 5mn, including finding the bathroom and walking back and forth. – George M Reinstate Monica Jan 13 '20 at 22:56
9

I have a simpler risk: Social engineering. Much easier to do if the attacker can write down asset number (look on the backside of the laptop), telephone number of the support and the login name visible on the locked screen, and potentially know the company. Computer name (if on an asset tag) could also be useful for later mischief like faking an ID in the company network, credible camouflage when doing MITM and other funny things.

Sascha
  • 210
  • 1
  • 3
5

The answer is actually anything between „nothing“ and „anything“ and depends heavily on the device and the scenario you‘re talking about.

Most likely scenarios would be:

  • Nothing has happened
  • Theft[1]
  • A targeted attack using special hardware

The following assumes that the attacker did not observe you entering your passcode, which is a realistic scenario as well.

The USB attacks mentioned here are mostly effective against unlocked devices. While the attacker could leave something plugged into the USB port, there is a high chance that you‘d discover it before you unlock.

The attacker could „bug“ your device in other ways, but it would have to be done in a way that you don‘t discover when you return. That will be very hard to do in 5 minutes and requires pre-planning.

Someone who is after your data could of course simply steal the device, which is presumably unattended. Then they can spend more time and effort on the attempt; though you would obviously notice that it has gone.

If the device is off and encrypted, the only way to gain access would be a dictionary or brute force attack on your passcode; everything would depend on the security of that.

If the device is encrypted and turned on, the encryption will be unlocked. The attacker may be able to extract data from the running system. This may require some custom hardware and the difficulty will depend on the type of device.

If the device is not encrypted, reading the data is trivial.

The chance that a random stranger will just walk by and hack an encrypted, locked device is remote - unless you are at a security conference.

If you have to worry about being targeted, there may be a credible threat.

But if you‘re defending against a targeted attack, just thinking about the device itself would be too narrow in scope: The attacker could also try to slip an actual bug into your bag or jacket. Or try to slip a USB device into your conference bag that looks like swag, in the hope that you connect it yourself. Or try to film or observe your passcode when you come back, in preparation for a later attack.

Against a targeted attacker, „device not compromised after toilet break“ doesn not equal „safe“.

The most probable „attack“ is still theft - even if only to sell the thing. Or, if they want to vandalize the machine, they could also just spill coffee over it and be done.

[1] I noticed the part where it says you „trust it not to be stolen“, though it is hard to imagine a situation where the device would be „supervised“ enough not to be stolen and yet tampering goes unnoticed. Many or most of the techniques mentioned here (including rebooting and entering the BIOS) are more conspicuous than theft in the first place.

averell
  • 1,103
  • 7
  • 10
  • 1
    For me, I interpreted the "trust it not to be stolen" more as "If I come back from the washroom and my laptop is still there, can I assume it's safe". At that point you know it's not stolen, the question is what could have happened in the interim. The wording of the question, imo, is easier to ask what the threat against an unattended laptop is and exclude theft than to ask the question about the post-hoc – Cruncher Jan 02 '20 at 18:47
  • 2
    Well, I into the scenario as well, but having only 5 minutes in a public place is actually a pretty hard constraint; and even harder if the attack shouldn‘t be detected. It isn‘t impossible, but pretty much needs to be targeted (unless the device is unlocked). Many of the more complex attacks are actually *harder* to pull of than theft in this scenario. – averell Jan 02 '20 at 21:56
4

Left turned off: variants of "evil maid attack" (compromising your bootloader in order to obtain your encryption password). Or if not encrypted - just booting from an external media and getting whatever interesting left in the filesystem and/or installing rootkit. Opening and plugging your storage elsewhere is also an option.

Left turned on and locked:

(1) turn it off and see above (you will notice but it may be late).

(2) without turning off: Exploit some external device driver vulnerability with some evil device (USB, eSATA, FireWire, mini-PCIx, NFC, CCID, power supply data interface, whatever) and gain partial or complete control. Yes, broken drivers do exist and most modern OS in their default setups readily load them when presented proper device IDs over the interface. Besides broken device drivers there are also broken application stacks (network, HID, pkcs11, whatever)

(3) Denial of service: Trying few wrong passwords and locking out your account (not every OS reports that your account is locked)

(4) Mounting remote attacks against Bluetooth, Wifi, NFC, IR, whatever - some of them require visible equipment in physical proximity.

(5) Collecting physical fingerprints from your keyboard for later use against fingerprint-enabled phone or the laptop itself.

(6) Installing spy hardware in your computer (ex. replacing your external or swappable battery, mouse, power brick or something else w/ something looking similar and having cell-enabled tracker and/or mic)

The list can really go on and on. Some of these attacks are complex and/or targeted, but pretty much doable.

fraxinus
  • 3,458
  • 6
  • 20
  • I think collecting fingerprints has very little to do with leaving your laptop unattended. It's just as easy, if not easier, to lift a fingerprint from a drinking glass. But it is true that some laptops have fingerprint readers and can be unlocked with a forged finger. – Fax Jan 02 '20 at 04:28
  • Here's one that would have been considered nation-state level only a few years back, but is moving down the chain to high end hackers: exploiting one of the many ME/PSP physical access flaws to inject effectively permanent, invisible, network-connected malware. This is especially interesting because the ME/PSP are in every single modern laptop (barring e.g. ARM Chromebooks), few people know about them, and the malware would survive OS reloads. From there, it could read e.g. encryption keys straight from RAM (or write data straight to disk). – madscientist159 Jan 02 '20 at 06:38
  • 1
    @madscientist159 what you talk about fits in "broken application stack" perfectly. ME (and friends) are broken in security sense from the very basic idea up to the generic bugs in existing implemetnations. – fraxinus Jan 02 '20 at 09:31
  • @fraxinus The key difference is that. at least in most cases, if I have a broken application, I can choose to replace it (or even write a replacement, if it's business critical functionality). The ME/PSP are "special" in that they only boot binaries signed with the Intel/AMD key (note the key word "boot" -- once booted, just like jailbreaking an iPhone, they can be exploited). This puts them in a rather special class; at least one company I know had to dispose of otherwise perfectly good Intel boards that were out of support, when being able to disable the ME would have saved the E-waste. – madscientist159 Jan 03 '20 at 06:02
  • 1
    @madscientist159 Agree, from the very special point of view of the advanced security engineer. Otherwise, a lot of devices today run only signed software and this can be both good or bad security-wise (generally bad as is the case with ME). – fraxinus Jan 03 '20 at 10:30
4

Here's a specific scenario. You have a ThinkPad, and like most ThinkPad owners you have never set a supervisor BIOS password.

Note that a ThinkPad BIOS has two different passwords, in addition to any hard drive passwords. There is a supervisor password and a power-on password.

The power-on password lets you boot the machine. This password is easy to reset; in fact the Hardware Maintenance Manual for many ThinkPads lists the procedure to reset it. It is often as simple as removing the main battery and CMOS battery.

The supervisor password is required to change BIOS settings. This password is much harder to reset. The official method is to replace the system board. The unofficial method involves getting an SPI flash programmer, capturing a copy of the current BIOS, sending it to a company in Romania who will patch the BIOS for you, and then flashing their patched BIOS on your machine.

Because you did not set a supervisor password, anyone can boot your machine into the BIOS and set a new supervisor password after messing up your BIOS settings. This would take only a minute or two and it would leave you with an unbootable machine and no quick and easy way to recover.

Of course, the bad person is thoughtful enough to leave you a sticky note offering to save you the trouble of going through the procedure above. They will give you the new supervisor password in return for a Bitcoin payment.

  • Great addition in general, but one nitpick: while this might work for a ThinkPad, most of the time it is fairly straightforward for the owner of a device to reset the BIOS themselves (done it myself a dozen times on different machines). – Conor Mancone Jan 02 '20 at 15:28
  • @ConorMancone It's straightforward for a ThinkPad too. – Sneftel Jan 02 '20 at 16:35
  • @ConorMancone and Sneftel - Thanks for your comments. You are right that the _power-on_ password is easy to reset, even on a ThinkPad. I updated the answer to clarify that I was talking about the _supervisor_ password, which is much harder to reset. – Michael Geary Jan 02 '20 at 23:03
1

This answer covers a non-data-security risk that may also be worth considering:

Worst case" for a system with ANY hardware port - total internal destruction in seconds.

"USB killers" have been mentioned - and have been dismissed by a number of people as being no different to other physical destructive attacks.
This comparison is incorrect.

A "USB killer" is a (usually) USB memory stick sized device that plugs into a USB port
(or other port if so designed) and delivers a high energy and/or high voltage impulse into the port with the designed aim of destroying as much of the system as possible.
While USB killers are offered or promoted by some sources as ESD testing devices and to demonstrate whether the USB ports exhibit "ESD vulnerability" (some test) this is unlikely to be the reason that the cool-kid plugs one into your computer while you are absent. It is suggested by some sites that proper design will avoid damage from such devices. I have a Masters in Electrical engineering and 50 years experience. Should I wish (which I certainly don't) I could produce a device that would defeat all but systems expressly designed to protect against exceptional high energy high voltage attack. Opto or other couplers, isolation, high energy capable clamps, ... .

These devices really exist.
They are easy to build and trivially easy to use. They are often designed to charge from the USB port BUT can be precharged. A device using eg "super capacitors" can deliver an impulse in a very small fraction of a second that has enough energy to do substantial damage to much of the system.
If someone was keen enough (and a few may be) a wired capacitor bank could be used to deliver far more energy. Wire can run down a sleeve and across the palm of the hand to the "head". A device with minimal risk to the user could easily be produced.

There ARE people who think it is 'cool' to use these sorts of devices.
Also people who would perhaps like to do damage to your property using axe-attack, incineration, defenstration, Shotgun, Desert-Eagle or other "suitable means".

HOWEVER, of all these* the USB killer attack is (usually) silent, rapid, inobvious and fatal. It MAY be able to be implemented entirely covertly in seconds. ->
Sit at table opposite or near laptop.
Slide hand with USB killer in into nearest USB port.
Cycle.
Leave.
The device could be precharged - making killing time somewhere under a second from insertion to removal.


*The Desert Eagle or Shotgun is liable to be rapid and fatal.
Silence is not a known feature of either.

  • 1
    This'll kill the computer, but it won't violate confidentiality or integrity. – forest Jan 01 '20 at 12:23
  • @forest True. Answer updated. Thanks. | Whether this aspect is as important to the OP as the data aspect is unknown. – Russell McMahon Jan 01 '20 at 18:44
  • This looks more like a comment on other answers rather than a stand-alone answer. And since other answers have mentioned this, I don't think this is adding to the answers. – schroeder Jan 01 '20 at 23:14
  • You start off saying that there is a difference between a USB Killer and physical destructive attacks, then proceed to explain what physical damage is done by this device. Am I missing something? – schroeder Jan 01 '20 at 23:16
  • @schroeder My point - apparently not clear enough, is made in "HOWEVER, of all these* the USB killer attack is (usually) silent, rapid, inobvious and fatal. It MAY be able to be implemented entirely covertly in seconds." | ie All other physical attacks require overt mechanical destructive force that would be very evident to those close by, and most would not ensure data destruction and may not ensure fatal device destruction without prolonged attack. The USB Killer is not **certain** to achieve either but it is likely to if built as capably as it could be - and can take 1 second to use. – Russell McMahon Jan 02 '20 at 00:04
  • @schroeder Others have mentioned and then dismissed the USB killer. It is not a security compromise method but of all the ways available to have one return to a covertly implemented dead and irrecoverable device it is probably the fastest and surest. || I assume you are the downvoter? Whoever - a downvote means "This answer is not useful". Strange. – Russell McMahon Jan 02 '20 at 00:07
  • @schroeder I looked at your profile. Consider "The best thing in infosec is to crush your hackers, drive them from your networks, and hear the lamentations of their modems." -> If instead of Infosec against users, it's random target destruction and annoyance then I'd say a USB Killer does a fine coffee-shop equivalent. – Russell McMahon Jan 02 '20 at 00:10
  • @RussellMcMahon do ***not*** read people's profiles and use the contents to make snide remarks. – user64742 Jan 02 '20 at 00:39
  • @user64742 I know not who you are (as I assume that that's not your name), but your understanding of "snide" or my remarks seems lacking. That was in no way intended to be snide, derogatory, negative or uncomplimentary. I meant just what I said, and I am somewhat surprised that you can see it as other than intended. ... – Russell McMahon Jan 02 '20 at 05:38
  • ... When I interact with someone significantly it can be useful to see what they choose to tell me about themselves. I looked. schroeder chose to tell me something of himself. It seemed that he would be likely to relate to my 'solution' expressed in terms that he appreciated. | FWIW - [This is 'me'](https://stackexchange.com/users/509441/russell-mcmahon?tab=accounts) – Russell McMahon Jan 02 '20 at 05:40
  • 1
    You appear to have not understood my comments. Others before you have *already* mentioned USB Killers. The text of your answer is about responding to other people's comments about other people's mentioning USB Killers. So, this answer adds nothing new, but is a response to a response. Delving into your own expertise about how you would design such a device does not answer the question. – schroeder Jan 02 '20 at 08:16
  • @schroeder If you look at what has been said about "USB killers" rather than about USB in a security context then: There are 11 mentions of USB in answers relating to security attacks and these may have biased your perception of how much UK's have been dealt with in answers. | In the answers there is a single one sentence reference to "USB killers" in [Conner Mancone's point 3.](https://security.stackexchange.com/a/223487/82697). There is one comment on Conner's answer by Steve Sether, & 2 responses by Conner. All other references are by me. The subject is not otherwise dealt with. – Russell McMahon Jan 02 '20 at 09:26
  • 2
    @RussellMcMahon you don’t need to know who I am. Making a remark about that is rude and unnecessary. – user64742 Jan 03 '20 at 03:15
-2

If the Bluetooth is turned on, attacks like BlueSmack Attack can be performed. If the USB ports are enabled BadUSB attacks are common. This can be possible in case of android device as well if USB debugging is turned on. Main concern is with open USB ports, an attacker can inserts wireless key-logger in the device and can collect keystrokes within the same network.

Kailash
  • 17
  • 4