Backdooring Linux Full Disk Encryption For Remote Forensic Password Recovery - Tom Cope

right hello everyone uh today we're going to be covering well every title has to have a really long and like fancy title so I won't Mo old made mutri Factor the limits for this contion for for pass recovery because I thought that would get enough in the room I think it might have worked I to turn on my Hotpot for later

[Music] okay so first the classic hello world hello my name is Tom you can visit the amazing.com I work in cyber security for about 12 years and this is my third time turning to because I've been informed it's amazing stake I think it is uh I'm got NY in software security and voting various firms I used to have part-time security researcher at the bottom here I've now put very part-time security researcher I haven't had CP in quite a while uh mostly working and writing celebrating tools on the weekend um what are we going to be covering here we're going to be covering lots of bits of box we're going to be covering the uh e m

attack we can talk about bios we talk about the the next Bo process for this incription trust platforms to be put everything together to Sunrise all these points um why are we doing this because I think there's lots of cool Concepts here by a lot of smart people isn't particularly common knowledge I just kind of want to bring all these things up to you explain them what they are why you should care about them and why all of them have a bunch of weird qus in them and as you all know in the security profession It's the weird qus of what's actually interesting uh so first refresher what is the evil ma attack raise your hand as

you've heard of it before okay so I did Pit this at the right Point fantastic uh so this is refers to attack of a usually powered off untain device this is the classic I lose my laptop on the tube what we get away with the coin the term was coin a very long time ago at the blog called goes against TR which is the idea of you leave your true cryed device in your hotel room something comes into M what get away with and again talking about t bios ction Etc which is what we talk about here also related is the cold boot attack raise your hand you heard that one yes same again as this is talking about how

is running and spraying down round chips [Music] cold cool so this is my laptop I'm on lunch please do not tample with it um but of course we're talking about a device that is powered off so that's better this is the kind of device we going to be talking about today uh so refresher bios the basic system we all kind of know this but just to highlight the series of steps that you need to go through to ter Compu pushing the power button going through the process initializing Hardware going looking [Music] at I put here [Music] inial this process is kind of what we're all familiar with ra your hand if you're not familiar with

[Music] this so bios is kind of dead we've got ufi which is the new thing who knows what it sounds for it sounds for unicorn Enchanted fairy interface because no one seems to really know what it is everyone just kind of switched over to it um hopefully when you walk away from this talk you'll know that it stands for the unified extens of firm interface and hope more things uh so how does the process change so instead of rooting into files you into Ubi and instead having to search a hard drive for a master group Rec which is on the specific size right at the start of the disc we now have support for the fat file system fat 16 and fat

32 I believe uh so now we be um youf actually read that file system on the this and we go off of Hardware get NV Ram to understand what things it's trying to look for in that fat fire system and then instead of leing a la set SI you have these things EFI execut which are you traditional labor can also be a shell can recovery and then we go through [Music] uh so with that in mind if someone that has physical access to your computer what can they tle with so first we're going to highlight those kind two sections this says the firmware side there everything on the disc and these are things that they can't really tackle

with really um how about power button initialization is more just a general process but like these are all things that the can tample with which is is a fair amount so think about how we're going to secure this and really the first thing we going to talk about is securing everything on dis so how we this full this who here has forest incription in their business and in their Enterprise I was hoping for a lot more hands um okay so that's all about that we've got windows we got bit Locker we've got Mac with f vol2 and have self d s um out of all of them they're all bit weird um touch on if you're using a Mac with

T2 chip your devices crypted out box and if you read the hardware specification for the t2 chip very interested in logarithm about how many atts you can make and after a certain point the S just says 150 sh who just refuse to work anymore which is an interesting Ser future and self encryption drives see a lot of data centers um we going talk about spls with set up L uh so L stands for unified L unified setup the standard for dis encryption um jasonator there one master encryption key for RS for the entire list and there seven different key SLS which is a nice thing because what you can do is you have eight different passwords way to

unlock a Max device um so don't have it also has Network made with encryption which is something Red Hat devices where you can make the device automatically unlock itself when there a present on the network and when you just move from that Network by taking outside your Cor refuses to beat which is really nice devices and also different also con antiicing which is when the password is split into different per dat spit into different chunks on the hard disk so when you try to erase it like a secure erase process of put Zer it makes it hard to if thatas process doesn't successfully or get off way it still most enough materials the one thing I really want to

highlight in this istion key is only generated after Dev device it is never changed it's never rotated and it's actually very difficult to intend to rotate it which we're touch on lateration here's an example my laptop you can see it's using as it's using [Music] disabled I blurred everything out so I don't want to show you my encrytion p uh cool so who here thinks full dis encryption encrypts the whole [Music] dis yes it doesn't which is what I want to kind of highlight here which is just a very strange Quirk of of so this is Endeavor you can see is it highlighted by Gart that the full this in this case is actually ined SL is SW swap

unallocated space um this is because uh for aring Solutions um the ENC hold this and the good loer which in this case is grub has support to these Lux devices and then it's actually is UN that this un [Music] process however most other Li which in this case I'm talking about B Li they don't do [Music] this unlocked access uh this is a very approach [Music] this for say this is something I look at um refresh the unit round file system in file system uh it uses the cpio format it's actually very strange um it it's three cpio bundled um packages all stuck together and then only one of them is compressed and if you running through BW

you'll find that it doesn't quite understand what's going on and um there's a lot of fun discussion if if you're bored and have some time this is something toog um why does it use the system basically creat at the time so I never ever ever to T in please know you something else so they said that CP has a nicer file format and be more appropriate easier to and it contains a file syst a of tools initialize other devices connected initial device M process overation strips also contain something spash screen fancy animations and USR devices most importantly they can be us pass disc pass and then unlock that device which is in is one ofes uh cool so we've implemented for

disc successfully so you can take that off the list we can now talk about protecting firm uh so trust Computing TPM two versions 1.2 and 2.0 probably SE the windows 11 Microsoft very heavily pushing TPM platform because act as a of trust and as we talk later in these slides can provide you some very good security insurances device securely and interestingly it has been described as a hardware solution for software problem which is something that I will keep in mind for this it is it is designed you should not think of it as a piece of Hardware you should think of it as another software application that isun in a trusted environment which just happens to be

Hardware trust device software which is design storage is not a Hardware security module and talk really about that so things to highlight uh is not a hard security module yes these things can still crypto Keys very securely but if you really to you can if you're toes to your entire State uh it uses [Music] Lo CPU these are not secure interfaces and the tpn 1.2 standard basically says I will talking plain text over these wires and as you will see in the next slide you can grab any encryption Keys any data off these wires very easily the point standard does have a little bit ofy exchange between TPM CPU set line transer but this is an important quot

that you should and you can also get TPMS in like this you also get eded within your CPU which in most cases they're not any wires you pick data off so these are considered the more secure options however those are made by Intel and AMD whether you trust them in their CPUs as option maybe you getting TPM and the question is do you trust and I don't if you remember while ago manufactur ships for all of the had a work in their RSA generation algorithm which short period um and then they have get reissu so you know [Music] Che yeah so there's a particular video I recommend looking at by Smash tring which is very good which is basically

saying 37 seconds with the off off and take a fully encrypted B Lo laptop from being fully encrypted to fully um this is how isig by Microsoft by default on every class with a TPM only protection and if you go all the way to the bot mof documentation they say a very very very skilled attacker would be able to bypass this conection in this particular manner it's not that hard for the

your computer you have to enterp verification Val [Music] and let PCR values aat configuration register and these are R sections of TP which you can [Music] dat can't be

reset and they design to different sites and what it means is you can ask the TPM to say hey can youer me cryptographically values of your pcres and over the network you can verify that that digal signature to confirm the state of TPA and things that you could be measuring with those TPM are firware and so you have a secure chip in your computer with you can get these particular values measurements of various systems likew of your computer and search cryptographically the um so this is this is but this is the IDE begin SEC Bo the idea TPM write down C sat devices and then secur um digal sign that um and then what you also do as an NA layer of this

is you take your piece of information and tell the TP to seal it to cry that against the value of these pcrs and the Practical upshot of that means you can take something like thetion password seal it inside the GPM and say the TPM only unlock this this encryption password when I have confirmed all the firmware and all the state of system is correct it has been and this is the fundamentals behind security cool so let's kind of put this all together so in a perfect world and in most cases how process work so turn on the computer mod starts up TP comes online everything the hardare is initialized TVs the firmware and sends that to the

gpn and says okay here it is generates a sh for it process happens UI file and then reads whatever UI also sends TP check signature of run it again and then you take the measurements of the colal and and system so that's the TPM up counter and then finally when say okay I need that say okay all my PC values are set particular points is valid or unblock it I send it to you and then you can operate it's all secure and then if any point of you tle with you change PCR values and then [Music] it's pretty [Music] cool how does it work in the real world in the real world things are a

little bit more messy um if you're running a lot a lot of cases SEC is just turned off people's laptops because depending what you're running and the way it sounds this is heav FS Microsoft Microsoft they are shared with other companies and you can go through the process to um to implement your own [Music] usually for Li there's this very interesting tool called the shim which is made by red hat which signed by Red Hats and by moft and what this basically means is you complete the full process normal until you get sh and the sh will then just execute tree

usually everything else so this is kind of where things start to start to break down uh so that in fire system I finished it quite a few times I've just told you is not protected by by process so it's a very good Target for thre actor how impct well we can just walk into to somewhere where the laptop is turned off we can pug in some kind of can boot off that we should Mount underline this pull apart ground file system change a bunch of those files on this slam it all back together take about 30 seconds and the process will look like something like this and um so first thing you want do is is uh try and clone uh the access to

the room get into the room pull out their hard drive you can use something like to um this something like form plug that M soot off it we're going to imagine that you have image this person computer aftering this process and we're going to run an automated script which is going to update that INR file system so here I am of pulling it apart there a tool for this UN in a ground file system which weing apart for you and we're going to now edit the uh hook of the INR deals with the cryptography of the Sy uh I like to put this here which is my paral state right in this presentation as a marker to say where I

have started making my edits uh so now when I run the boots process I have this and I know oh this is where I can start making all of my changes um could anyone highlights me what the problem with this piece of code is something that might seem a bit suspicious I added to it anything we have place

[Music] yeah yes there's that one line that I've added just there which says go get interactively the distri pass and then save it to 10 and then unlock the this so this is just this is the literal bit of that's actually unlocking system seing the password and next up going to edit the file the basically man is the the splash screen and within that we're going to have a bunch of stuff the first thing we're going to do is remount theot file system to make it reite um so that we can in the process of booting access the final dis we're going to then copy that password that I just so going to slash it into files to as SL password and then

we're going to set up a Syd unit which is going to have that password send over to my server and remove it so we can do this open the network and then we're going to use this syit for Network online so what this means is once this is all injected into system syst will just wait for your computer to have network access before activating this unit and then we start it so on the laptop this is really handy it just means the next time it comes online that's what I AC to V and finally we add a little to say I would like you to start this target b is do this on Bo and we're going to start listener on

some random server M and then we're going to wait so the person will take this laptop away from the hotel room after it's being infected um the next time they um type pass so inur through process and then wa for the laptop to have network connection and then once it successfully has a network connection bam you see the password very secure password a little bit longer but I love that password dearly um it's not the password of this device I promise uh so now we have the password um we can take that have that distance from from quite a while ago and then we can decrypt it and access all the device on there we don't need access to them

they're the world the interesting thing about this is we now dump the Lux Master ention because all you need is any valid password and because that encryption key never changes what this means is at later date it change this incription password or if thaty is rotated V or laptop is s just use that effici to access their data so things just keep in mind that for for Lux for Lux devices once they put crack they stay cracked have to completely re to that I'm now going to attempt

I

[Music]

[Music] I'm not [Music] myself for

[Music]

so I'm St add on my server

[Music] and there it [Music]

[Music] is uh so from this hopefully this has a few of you in the room consider um the best way to imp is to use true with a correctly TR system Mac [Music] already correctly and you have prob different CS I've talked about around tpn correctly Lo and Fleet this is also all of this is support see here you can these things it's just set go through maybe is worth it um you can also there a very good f you is prevent someone from just opening the laptop pluging in and ask to that and then if you're really fancy you with a compy like and have a whole system you can um buy one of their laptops pluging their

version of the into the the laptop and it will go through the whole core T measurement process so um most and that flash lights to say laptop hasn't been and then you continue process it's very cool they've done a lot of work specifically around this problem yeah thank you very much listen any [Music]

questions so yes and you your Ser just have Ser that I'm you could have you could have all of this figed on memory 15 people's rooms just this process I'm doing this just for because it's very easy [Music] the same can be done as well if their process hasn't been [Music] as other [Music] [Music] questions and El thank you very much