DEF CON is one of the largest, (if not the largest), hacker conferences in the world. Held over four days every August in Las Vegas, DEF CON is now in its 24th year and is bigger, better — and scarier — than ever. Our Senior Malicious Detection Researcher, Eric Watkins, participated again this year and provided a great multi-blog brief; giving us a glimpse into the very real, and scary, threat vectors coming out of the hacker world today.
DEF CON 24 – Day 2: Witchcraft, Unicorns and Leeches…oh my!
Friday morning I attended a talk on the Witchcraft Compiler Collection. This author determined that it was possible to link and executable as a library. The practical ramifications of this are that the individual functions of the executable can be run by the end user at will. So if the programmer has a function called EndUserProvidedPasswordReturnUnicornsAndRainbows you can skip pass the password validation section of code and get right to whatever functionality was password protected. Using his suite of tools you can also enumerate all the exe’s functions, and then link it into your own program and call the functions anytime you want.
The next talk I attended on Friday was about a new physical attack called the PCILeech. This hardware is inserted into a laptop or desktop to quickly(~150MB/s) read and write from memory using DMA over PCI Express. Once inserted the controlling program dumps gigabytes of memory in seconds. After this, shells can be spawned, authentication bypassed and full disk encryption defeated. The wide variety of hardware and OS that this attack was demonstrated to be functional is pretty amazing. Most notably the iOS Thunderbolt bus appears to have an adapter that allows the PCILeech to be inserted into any Apple device with a Thunderbolt port. I ordered this hardware on Amazon shortly after hearing this talk, and I am very interested in testing it out in the lab environment to validate its ease of use and functionality.
The Samsung Pay talk was well attended due to its high visibility and slightly volatile content. The room was bursting at the seems, and we had to wait a bit to get in. The content itself has already been challenged by Samsung. This talk had lots of good sample video but the people in the videos were speaking a foreign language which made it hard to follow. In the end, a vending machine dropped the product and the talk concluded. The war of words between Mendoza and Samsung will no doubt continue.
The Malware Command and Control (C2) talk was riveting given my current activities at zvelo. I was surprised to learn how much of the talk I already understood at a conceptual and functional level. There were some details I wasn’t aware of about an obscure variant of malware but the basics of C2 itself stand unchanged. Disrupting the C2 channel is where much of the “Kill Chain” conversation these days is focused, so many of the concepts introduced here were old news. I did like his idea of turning the tables on the attackers and using the C2 channels to go on the offensive and disrupt C2 comms between the client and control networks.
Friday’s Big Takeaway:
The PCILeech tool is a game changer in the fight for personal privacy and physical hardware security. Its safe to say that with all the talk about encryption issues with the feds and Apple in the news these days that the PCILeech is going to become a weapon in the Fed toolbox for accessing the machines of people they investigate.
The previous state of the art and last line of defense against either someone who stole your computer or the Feds themselves was Full Disk Encryption (FDE). The theory here is that if the Feds busted in on you and stole your hardware, the Trusted Platform Module on the motherboard, together with an encrypted partition on your hard drive, would act in concert to keep the machine from booting without your super secret hard drive. The encryption would keep your data safe and secure from someone removing the hard drive to mount it elsewhere and view your data.
PCILeach is a physical attack on the PCI bus itself that downloads all of the contents of the memory of a machine. This allows the attacker to insert arbitrary code without any barriers, which allows them to remove passwords, start shells and many other attacks. While the attacker does have to have physical access to the machine, once they have that they can bypass almost all current hardware security methods to access your data. Additionally, since the drive is decrypted on boot and secured on shutdown, should this attack occur while the machine is still running, FDE security methods can be bypassed because the currently logged in user is trusted.
Prior local physical attacks involved mounting the hard drive on another machine, or using a CD to boot another OS. The attacker could then use their OS to mount the drive, erase the password and reboot. Linux and Windows tools for just such this task have existed for some time. Prevention methods involved ensuring that the CDROM drive wasn’t in the boot order and security BIOS with a password. This new attack bypasses any need to boot a CD, remove drives and access BIOS.
The one prevention method for this attack appears to be enabling IOMMU/VT-d, provided that the OS and hardware/BIOS have support for it. Another prevention seems to be the lack of support/availability of machines with CardExpress interfaces. The fact that new Thunderbolt interface exposes the PCI bus and is becoming more available may make this attack more successful.
Next week: HackFortress or “All Your Base Are Belong To Us” Day.
About the Author
Eric Watkins is our Senior Malicious Detection Researcher and he brings 20+ years of combined information security and IT experience to zvelo. When not haunting DEF CON, Eric leverages his deep knowledge in Information Security by utilizing an extensive background in research, engineering and IT security architecture. Additionally, his unique perspective in penetration testing and IT security audit experience to validate website threat vectors will further enhance zvelo’s malicious detection services.
