BIOS Password, Problematic Interfaces, Screen Lock, Virtual Consoles, Login Screen, Side Channel Attacks

Introduction[edit]

Physical attacks require adversaries to have direct access to a user's computer and cannot be conducted remotely. This section should be read in conjunction with the Full Disk Encryption and Encrypted Images chapters.

BIOS Password[edit]

The instructions in this section refer to BIOS or legacy BIOS. Users with UEFI firmware should research specific instructions for their computer.

The Basic Input/Output System (BIOS) is non-volatile firmware which performs hardware initialization during the computer's booting process after it is powered on. It also provides runtime services for operating systems and progams. BIOS in modern PCs initialize and test system hardware components, as well as loading a boot loader or operating system from a mass memory device. The Unified Extensible Firmware Interface (UEFI) is the successor to BIOS that was released in 2011. ^[1]

All local settings are stored in BIOS, including power options, boot options and memory information. The BIOS menu allows the user to set and change a boot password for the computer upon startup. An administrator password can also be set to prevent others from changing BIOS settings. To set a BIOS boot password: ^[2] ^[3]

Turn on / restart the computer.
Press the relevant key to access the BIOS menu. It is usually one of: Del, Esc, F2, F10, or F12.
Navigate to the Security or Password section using the arrow keys.
Search for an entry named "Password on boot" or similar.
Enter the new, strong password.
Save the changes made to BIOS settings. On most PCs, this is done by pressing Esc or F10 → Save and Exit. Check the bottom of the BIOS screen to be sure.
Reboot the computer and confirm a password prompt now appears.

For greater security, a password should be set to access the BIOS menu itself. Search the Security or Password BIOS menu for "Set supervisor password", "User password", "System password", or something similar. ^[4] Also, users may prefer to configure BIOS to only allow booting from HDD/SSD so the computer cannot be booted from CD-ROM or USB flash drives.

It should be noted that there are numerous methods of bypassing, removing or resetting BIOS passwords, so this method will only prevent casual attempts to gain access.

Cold Boot Attacks[edit]

Check Cold Boot Attack Defense Section.

Evil Maid Attack[edit]

Check Anti Evil Maid Section.

Problematic Interfaces[edit]

There are a number of computer interfaces that pose the risk of a direct memory access (DMA) attack. Potentially exploitable interfaces include ExpressCard, PCMCIA, FireWire, PCI, PCI Express or Thunderbolt.

High-speed expansion ports allow attackers to penetrate computers and other peripherals because the connected devices have direct hardware access to enable maximum throughput.

In practice, attached devices are permitted to read and write directly to memory, often without supervision of the operating system. This is in contrast to user-mode applications that are usually prevented from accessing memory locations that are not explicitly authorized by virtual memory controllers. ^[5]

A successful DMA attack on an unattended, live computer allows the adversary to: ^[6] ^[5] ^[7] ^[8]

Access sensitive cryptographic material in memory.
Circumvent FDE.
Inject executable code.
Partially or fully read the memory address space.
Read documents, files or other digital traces present in memory.
Take control of the entire system, for example via the network.
Unlock screensavers without a passphrase.

DMA attack software tools which mimic the abilities of state-level adversaries are even available on GitHub! ^[9] Mitigating the threat of a DMA attack requires mostly physical security countermeasures; it is recommended to:

Consider blocking or removing them completely.
Disable them in BIOS or UEFI.
Never allow unknown and potentially malicious devices to be inserted into these ports. ^[10]
Securely configure these interfaces.
Use IOMMU technology if available, along with software which supports it, like Qubes. ^[11]
Use Linux kernel options to disable DMA by Firewire devices. Package security-misc is installed by default and implements this, see also package description).

Screen Lock[edit]

If a computer is left unattended, always lock the screen of the host or shut it down for greater safety.

Locking the screen on the host prevents others from viewing or using the device. It is advisable to set the screen to lock after a certain period of inactivity, and a strong password is recommended. Note that screen lockers provide notoriously weak protection, so do not overestimate their effectiveness. ^[12]

To manually lock the screen: ^[13] ^[14]

Linux

Menu panel → Lock Screen.
Shortcuts are specific to the desktop environment in use, for example, GNOME, KDE, Xfce and so on.

Recommendations:

Do not enable Alt + Crtl + Backspace to kill the X Server. Do not disable DontZap in Xorg configuration. ^[15] ^[16]

Sleep Mode[edit]

Best avoided unless a screen lock is being used. See also above.

Virtual Consoles[edit]

Do not forget to lockout from other virtual consoles after use. ^[15] ^[17]

Login Screen[edit]

Host versus VMs:

Host operating system: A login screen can be useful if the user wants to protect the login.
VMs: It is not very useful to enable a login screen inside VMs. If the host operating system (OS) is ever compromised, then any VMs it hosts are also effectively compromised. Therefore, if anything, it is much better to lock the host screen. See also Screen Lock.

Note:

Login, yes: A login screen only protects the login.
Encryption, no: A login screen does not provide Full Disk Encryption (FDE)!

A login screen can be provided by a login manager. For example, LightDM is the login manager used by default in Kicksecure.

Kicksecure is configured by default to autologin. Hence, no login screen will be shown by default.

To enable a login screen in Kicksecure, it is required to disable autologin. For instructions on how to do that, see disable autologin.

Side Channel Attacks[edit]

Kicksecure does not provide protection against most side-channel attacks.

Side-channel attacks are made possible by physical effects caused by cryptosystem operations (on the side) which provide extra information about system secrets like cryptographic keys, state information, or full/partial plaintexts. Wikipedia defines side-channel attacks as: ^[18]

...any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.

Side-channels emerge because computation takes place on a non-ideal system, composed of transistors, wires, power supplies, memory, and peripherals. Component characteristics vary with the instructions and data that are processed, allowing measurable variance to be used by attackers. ^[19]

Table: Primary Side-channel Attack Classes ^[18]

Attack Class	Description
Acoustic Cryptanalysis	Sound produced during computation is used for attacks.
Cache Attacks	Attackers monitor cache accesses made by the user in shared physical systems like virtualized environments or cloud services.
Data Remanence	Sensitive data are read after supposedly being deleted.
Differential Fault Analysis	Secrets are discovered by introducing faults in a computation.
Electromagnetic Attacks	Leaked electromagnetic radiation allows attacks that can provide plaintexts and other information. Cryptographic keys can be inferred via this method; for example, see TEMPEST.
Optical	Secrets and sensitive data are read by visual recordings with a high resolution camera, or other devices.
Power-monitoring Attacks	Attacks use measurements of varying hardware power consumption during computation.
Software-initiated Fault Attacks	Row hammer is an example of this attack, whereby off-limits memory is changed by rapidly accessing adjacent memory, leading to state retention loss.
Timing Attacks	Attacks are based on measuring how long various computations take to perform, such as the attacker's password compared to the user's unknown one.

While Kicksecure has some limited countermeasures to side-channel attacks, in general it cannot provide protection against most classes, nor hardware keyloggers, TEMPEST, miniature cameras and so on. Full disk encryption is also helpless against these attacks.

For further reading on this complex topic, see here, here and here.

Hardware[edit]

Threats[edit]

Hardware implants.

External:

https://hak5.org/products/lan-turtle

Internal:

https://github.com/ufrisk/pcileech

Footnotes[edit]

↑ https://en.wikipedia.org/wiki/BIOS
↑ https://web.archive.org/web/20220803213740/https://www.techwalla.com/articles/how-to-change-the-administrator-password-in-bios
↑ https://web.archive.org/web/20210430031204/https://www.intowindows.com/how-to-set-bios-or-uefi-password-in-windows-10/
↑ If the system has both a supervisor password and a user password, then set passwords for both.
↑ ^5.0 ^5.1 https://en.wikipedia.org/wiki/DMA_attack
↑ https://louwrentius.com/firewire-the-forgotten-security-risk.html
↑ https://privatecore.com/resources-overview/physical-memory-attacks/index.html
↑ https://web.archive.org/web/20170427144955/https://www.delaat.net/rp/2011-2012/p14/report.pdf
↑ This is not an endorsement for the use of hacking tools.
↑ This is another reason why high-risk users should never leave their devices unattended.
↑ IOMMU maps device-visible virtual addresses to physical addresses. The security benefit is that devices that are passed through to guest virtualized machines -- AppVMs in Qubes -- are unable to access the host's physical memory. This makes DMA attacks against the host very difficult and can lead to memory corruption if attempted. Qubes OS automatically uses device passthrough to isolate USB controllers and network devices from the host, thus helping prevent these and other attacks. An IOMMU may also prevent DMA attacks from host devices (not passed through to a VM), although this is not necessarily guaranteed to work in all situations. See https://security.stackexchange.com/questions/176503/dma-attacks-despite-iommu-isolation
↑ Attacks that have bypassed screen lockers on most platforms can easily be found online.
↑ https://www.isunshare.com/windows-10/3-ways-to-lock-windows-10-computer.html
↑ https://swissmacuser.ch/new-lock-screen-feature-in-macos-high-sierra/
↑ ^15.0 ^15.1 https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128
↑ Quote xscreensaver FAQ:

Backdoor #1: Ctrl-Alt-Backspace
This keystroke kills the X server, and on some systems, leaves you at a text console. If the user launched X11 manually, that text console will still be logged in. [...]
↑ Quote xscreensaver FAQ:

Backdoor #2: Ctrl-Alt-F1 , Ctrl-Alt-F2 , etc.
These keystrokes will switch to a different virtual console, while leaving the console that X11 is running on locked. If you left a shell logged in on another virtual console, it is unprotected. So don’t leave yourself logged in on other consoles. You can disable VT switching globally and permanently by setting DontVTSwitch in your xorg.conf, but that might make your system harder to use.
↑ ^18.0 ^18.1 https://en.wikipedia.org/wiki/Side-channel_attack
↑ http://rootlabs.com/articles/IEEE_SideChannelAttacks.pdf

License[edit]

Kicksecure Protection Against Physical Attacks wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Kicksecure Protection Against Physical Attacks wiki page Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos(at)kicksecure.com (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) User Support Questions: No. (See Support.) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. >
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] ttps://en.wikipedia.org/wiki/BIOS

[2] ttps://web.archive.org/web/20220803213740/https://www.techwalla.com/articles/how-to-change-the-administrator-password-in-bios

[3] ttps://web.archive.org/web/20210430031204/https://www.intowindows.com/how-to-set-bios-or-uefi-password-in-windows-10/

[4] If the system has both a supervisor password and a user password, then set passwords for both.

[DMA_attack-5] 5.0 ^5.1 https://en.wikipedia.org/wiki/DMA_attack

[6] ttps://louwrentius.com/firewire-the-forgotten-security-risk.html

[7] ttps://privatecore.com/resources-overview/physical-memory-attacks/index.html

[8] ttps://web.archive.org/web/20170427144955/https://www.delaat.net/rp/2011-2012/p14/report.pdf

[9] This is not an endorsement for the use of hacking tools.

[10] This is another reason why high-risk users should never leave their devices unattended.

[11] IOMMU maps device-visible virtual addresses to physical addresses. The security benefit is that devices that are passed through to guest virtualized machines -- AppVMs in Qubes -- are unable to access the host's physical memory. This makes DMA attacks against the host very difficult and can lead to memory corruption if attempted. Qubes OS automatically uses device passthrough to isolate USB controllers and network devices from the host, thus helping prevent these and other attacks. An IOMMU may also prevent DMA attacks from host devices (not passed through to a VM), although this is not necessarily guaranteed to work in all situations. See https://security.stackexchange.com/questions/176503/dma-attacks-despite-iommu-isolation

[12] Attacks that have bypassed screen lockers on most platforms can easily be found online.

[13] ttps://www.isunshare.com/windows-10/3-ways-to-lock-windows-10-computer.html

[14] ttps://swissmacuser.ch/new-lock-screen-feature-in-macos-high-sierra/

[screenlocker-security-forum-discussion-15] 15.0 ^15.1 https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128

[16] Quote xscreensaver FAQ:

Backdoor #1: Ctrl-Alt-Backspace
This keystroke kills the X server, and on some systems, leaves you at a text console. If the user launched X11 manually, that text console will still be logged in. [...]

[17] Quote xscreensaver FAQ:

Backdoor #2: Ctrl-Alt-F1 , Ctrl-Alt-F2 , etc.
These keystrokes will switch to a different virtual console, while leaving the console that X11 is running on locked. If you left a shell logged in on another virtual console, it is unprotected. So don’t leave yourself logged in on other consoles. You can disable VT switching globally and permanently by setting DontVTSwitch in your xorg.conf, but that might make your system harder to use.

[sidechannel_attack-18] 18.0 ^18.1 https://en.wikipedia.org/wiki/Side-channel_attack

[19] ttp://rootlabs.com/articles/IEEE_SideChannelAttacks.pdf

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

Protection against Physical Attacks

Contents