Direct Memory Access (Again)
You ask, “Can they really do that?” and you may be thinking “Only in the movies” but all along I would have told you “Yeah, they probably can.” The other day I got confirmation when someone mentioned “HBGary Direct Memory Access tools.” That was enough of a lead to spawn a Google search and soon I confirmed such tools aren’t just in the movies. UPDATE: Much more confirmation from Spiegel magazine now, see my “update” at the bottom of this post.
Of course, if you’ve got great contacts in law enforcement and defense/intel you probably knew that already. But for the rest of us, you don’t have to watch the detectives anymore, there’s a considerably better source for such secret knowledge. I pulled up an old Ars Technica titled “Black ops: how HBGary wrote backdoors for the government.” This was written in the wake of the Anonymous attack on Federal contractor HBGary which led to a Wikileaks-style puke out of the company’s email data banks. Per the article:
“In 2009, HBGary…partnered with…General Dynamics to work on a project euphemistically known as ‘Task B.’ The team had a simple mission: slip a piece of stealth software onto a target laptop…they focused on the ‘direct access’ ports [PCMCIA, ExpressCard and Firewire] that provide ‘uninhibited electronic direct memory access’…[allowing] a custom piece of hardware delivered by a field operative to interact directly with the laptop [and] write directly to the computer’s memory…The [USB and wifi ports] needed “trust relationships” or relied on ‘buffer overflows…”
From the email records it seems HBGary wrote multiple exploits including so-called “rootkits,” a type of malware that installs deep in the OS to become undetectable to anti-virus scanners using standard I/O interfaces. The DMA rootkit was the malware of choice on “Task B” because it was thought to have the lowest risk of detection. And it could be used in physical access scenarios such as a spy accessing a laptop left on a desk or in the hotel room. Or not even spy work – this gives new meaning to the Customs officials’ polite (or not so polite) request: “May I see your laptop for a minute, sir?”
The “Black Ops” article points out that HBGary isn’t even a large defense contractor nor is it a company that focuses only on government work. “It’s clear from the HBGary e-mail leak that the military is in wide possession of rootkits and other malware of its own. But the e-mails also remind us how much of this work is carried out privately and beyond the control of government agencies…We found no evidence that HBGary sold malware to nongovernment entities intent on hacking, [but] the company did have plans to repurpose its DARPA rootkit idea for corporate surveillance work.”
Considering that the U.S. is far from the only country with a major cybersecurity program and the likelihood that DMA rootkits and other tools are in private as well as public sector hands, security pros will generally advise that once you lose physical control of a device and it falls into the hands of a potential adversary, you must assume it’s compromised.
Furthermore, while HBGary focused on the Windows space, there’s no reason to assume that other types of devices are guaranteed safe. As I described in the post Trust No One (Device) malware spares no one and nothing. Even the Apple IOS – remarkably free of vulnerability-dependent malware in the field so far – has its DMA rootkit equivalents. Just recently a charging cable exploit was demonstrated at BlackHat with the ability to compromise an IOS device. Apple may fix that exploit but as long as the cybercrime underground thrives and black ops programs continue, there will be more.
Therefore, organizations should take measures to protect the physical security of their devices as well as use tools to protect against malware delivered remotely. Devices containing sensitive data, or used to access sensitive data, should be kept under observation or locked up as much as possible. If a device has been out of your custody and you see other suspicious indicators – such as unusual behavior – consider remediating, reinstalling or replacing that device.
Recommendations: When traveling to countries where employees may be at heightened risk of state-sponsored espionage more must be done to protect physical security. Many companies based in Western countries have long had “loaner laptop” policies for travel to China, for example. It’s also important to perform individualized company threat assessment, develop policies and procedures for travelers, and provide relevant user awareness training.
UPDATE: Since this post was first written in September, 2013 it seems that earlier news of government contractors like HBGary hacking on Windows and Systemation shipping IOS hardware exploits for iPhone just gave glimpses of what is in fact a rabbit hole that goes much, much deeper. As of 12/29/13, Der Spiegel released leaked information on NSA’s Tailored Access Operations (TAO) and ANT divisions, which have developed large catalogs of hardware and software exploits for PCs, phones, routers and even firewalls of both U.S. and non-U.S. vendors (who generally deny cooperation with or knowledge of the exploits.) As if that wasn’t enough, today the Washington Post wrote “NSA seeks to build quantum computer that could crack most types of encryption.“
It seems the recommendations I wrote above don’t go far enough. With the the militarization of security, enterprises and individuals have to assume that the NSA (and to a lesser extent defense/intelligence agencies from more than a dozen powers) have the capability to infiltrate most hardware or software-based security mechanisms. While this has long been common wisdom among security pros, what’s shocking about recent revelations is how easy and routine it must be for state security operatives to exercise capabilities that look like black magic to the rest of the industry. It’s also significant that the of extent state security capabilities is now more or less common knowledge and we (private industry and individuals seeking to preserve any sense of privacy and security in the world) will be expected as a matter of due diligence to deal with it. We’ll have to think deeply about how to adapt our assumptions and practices to these new realities.