2

Why I believe this question is not a duplicate: There are multiple questions dealing with the exploitation of a locked computer on this site, but most of the answers are focused on exploiting a non-hardened system in default configuration. I believe that in recent years, with major advances in encryption and hardware+software authentication (secure boot, bitlocker, virtualization, UEFI,...), the threat model for a hardened laptop is significantly different and therefore, I'm reasking this question under the following scenario:

Technical assumptions:

  1. I'm using a modern Windows 10 Pro laptop, with the OS and all drivers updated to latest versions.
  2. Laptop is locked, with following authentication methods: fingerprint reader, strong password, reasonably strong PIN (probably would not survive an offline brute-force).
  3. Internal drive is encrypted with PIN-less Bitlocker, using TPM.
  4. UEFI is password-protected, booting from external drive requires UEFI password, network boot is disabled, Secure Boot is on.
  5. I'm connected to the same network as an attacker (attacker may potentially even own the network).
  6. The laptop has an enabled Thunderbolt 3 port, but before any conected device is accepted, it must be authorized by the user (which should not be possible on the lock screen).
  7. Laptop has a free M.2 slot inside, dis/re-assembly is possible in under a minute.

Assuming I'm sitting somewhere with an attacker, I lock my laptop and leave for 5 minutes, is it feasible for the attacker to gain access to my laptop (either by bypassing the lock screen, or extracting files using some other method (extracting the bitlocker key,...)) before I return, under the condition that I mustn't notice anything suspicious after coming back?

a-n
  • 41
  • 4
  • Does this answer your question? [What are the potential risks of leaving a device in public, but locked?](https://security.stackexchange.com/questions/223486/what-are-the-potential-risks-of-leaving-a-device-in-public-but-locked) – Ghedipunk Jan 02 '20 at 22:30
  • It does not - I'm convinced my assumptions (should) prevent most of the attacks mentioned there. – a-n Jan 02 '20 at 22:33
  • I didn't mean to imply that this would satisfy your curiosity. I am still used to the old automatic message: _"Possible duplicate of $foo"_. That is, even though you think the details are different enough, the first two sentences of the top and accepted answer still applies wholly and completely to this question: If they have unsupervised physical access, it isn't secure anymore. Without physical security, all other infosec measures are moot. – Ghedipunk Jan 02 '20 at 22:38
  • @Ghedipunk This mantra is exactly why I'm asking this question - I've seen it repeated many times, but with numerous changes is the physical security model of laptops in the last few years, I'm not convinced that it fully holds anymore. – a-n Jan 02 '20 at 22:45
  • 1
    That crosses into the realm of new academic research. We can't prove a negative here, as we can't prove that State-Level Actors don't have devices that can plug straight into your laptop brand's expansion ports, get direct north bus or PCI bus access, and inject malware directly into RAM, which gets injected into the boot rom as soon as your laptop is unlocked. If you want an answer more up-to-date than the mantra we repeat here, you want to look at peer reviewed journals and talk to the researchers submitting articles to those. – Ghedipunk Jan 02 '20 at 22:54

2 Answers2

4

What you're describing is an Evil Maid attack. There are a bunch of ways you might go about gaining access in this scenario, but the main one is DMA.

M.2 would give you direct and complete access to the system memory over DMA, assuming that the IOMMU is not configured to prevent this, which it almost certainly will not be by default for a direct PCI-e link. The same goes if you have an ExpressCard slot. One toolset for this is PCILeech, which is capable of dumping the first 4GB of memory from a system without any OS interaction or drivers installed, and all memory if a driver is first installed.

It is also potentially possible if your laptop has Thunderbolt or USB-C, because both of those interfaces support DMA. Generally speaking those interfaces now tend to have hardening features in the firmware and drivers to prevent arbitrary DMA using the IOMMU, but this protection isn't perfect or universal, and there have been some issues (e.g. Thunderclap) that allow an attacker to bypass the IOMMU in some hardware.

What you might wish to do is enable Virtualisation Based Security (VBS) and Windows Credential Guard (WCG), which puts your entire OS in a Hyper-V hypervisor and shifts most of the LSASS service (which caches credentials) into an isolated virtual machine. There are few, if any, toolkits out there at the moment that allow an attacker to recover the cached BitLocker master encryption key from the WCG enclave using a non-interactive memory dump. This also allows you to enable Device Guard and KMCI/HVCI, which should make it exceedingly difficult for an attacker to gain persistence on the system from a one-time DMA attack.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Awesome answer, thanks! Am I correct in assuming that connecting a M.2 PCIe device would require restarting the laptop -> clearing the RAM, which leaves Bitlocker key extraction on freshly booted system as the only viable attack? – a-n Jan 03 '20 at 02:25
  • It's down to the individual hardware and firmware. Usually M.2 hotplug doesn't work on consumer devices, but it is more frequently seen on workstation and server systems. ExpressCard will work because it is designed for hotplug. Spare PCIe slots (including mini-PCIe, like laptop WiFi modules often use) also work on some models if you get lucky. One trick you can do, though, is to sleep the laptop, plug in the M.2 or PCIe card, then wake it up, which triggers re-enumeration without powering down or clearing memory. – Polynomial Jan 03 '20 at 02:30
  • Few more questions: 1. How can the malicious pcie device read memory directly? I thought that all memory access goes through the IOMMU, and OS must explicitly map the requested pages. 2. How does virtualisation prevent the bitlocker key extraction? Isn't the key still stored in memory, just in a different location? – a-n Jan 03 '20 at 14:34
  • In practice the OS does not configure the IOMMU to block DMA on PCI-e devices below the 4GB boundary for compatibility reasons. The device can just ask for those pages to be mappable and the OS obliges. VBS/WCG doesn't *guarantee* that you can't read the keys, it just makes it harder at the moment because it's a new feature and the memory forensics toolkits haven't caught up yet. – Polynomial Jan 03 '20 at 14:45
  • Is it feasible to reconfigure Windows to clear these mappings, given that only PCIe peripherals in my laptop are 1. an NVMe SSD drive, 2. modern Intel WiFi card, or would that violate some part of the PCIe/IOMMU standard? – a-n Jan 04 '20 at 15:06
  • I don't believe it is possible due to the management of this functionality being shared between the firmware, PCH, and OS. – Polynomial Jan 05 '20 at 05:10
2

As with many security situations, "it depends". If you're not a target of a powerful attacker, and your definition of "dangerous physical access" excludes any kind of intentional physical damage (some of which will not be visible to you when you return back), you may be okay. If you are a target, or your definition of "dangerous" includes physical damage, it is definitely dangerous.

To understand the possible threats, you have to define two things:

  • What is considered a threat? You only state "dangerous", but this is very vague. Would someone replacing your laptop with an identical model looking exactly the same dangerous? That other laptop may be configured to send out all typed passwords, which you'd have to type as your fingerprint won't log in; it can also send out the data from your fingerprint reader which would be used to log in into your laptop. This is more of a nation-state stuff, of course. But would putting SuperGlue into the laptop HDMI/USB slot dangerous? Or stealing your hard drive (which will be unnoticed upon return if your laptop is locked with screen off)?

  • Who are threat actors? Powerful attackers such as nation-state might have tools which would be able to dump your locked laptop memory, possibly including the decryption keys (this depends on how you define "locked"). They can add hardware inside which would sniff out important data or interfere with functionality; this could be done in a very short time by a powerful attacker who prepared everything in advance.

Finally, "if bad guy had access to your computer, it is not your computer anymore" has a lot of truth. However "bad guys" differ in their intentions and power. So it is possible that even NSA having your computer for a year won't do anything to it if they decide you're not their target.

George Y.
  • 3,504
  • 2
  • 10
  • 15