Discussion:
BIOS attack
(too old to reply)
j***@tutanota.com
2018-02-02 18:40:10 UTC
Permalink
Excuse me - I have joined this group to discuss what may have been a 'high end' BIOS attack.
I am presuming that this group contains the most knowledgeable people.
I need that.

While the scenario outlined below is very 'Grand Jeu' I will not be at all surprised to learn that you believe this to be a hack.

---------------------------------------

This is exactly what happened:

Laptop circa 2011 (bios date)
AMD DCP C-50
Tails 3.5 loaded from a USB drive

At a friends - laptop on the table in kitchen (pre-arranged over the phone).
Workmen are doing jobs.
(The IP box can give the WiFi connection at the press of a button)  ;)

A Libre Office doc saved in the session - other docs saved on a mounted removable drive.

One worker comes in the kitchen - he starts tapping away on his mobile (just 3 meters away).

Note - he has no need to be in the kitchen to get a signal - the walls are thick, so outside would be better (if you don't have the wifi code).

He makes a final tap, and walks... and my pc shuts down.
Some code appeared, but it shut down.

Obviously it could be coincidental; but I'm sick of frigging coincidences.
The shutdown was simultaneous to his final tap on his mobile.

---------------------------------------------

Post reboot - no apparent problems, other than it seemed to take slightly longer to log into accounts.
I carried out my communications.

A day later, I posted an email to tails-support-***@boum.org (on this question).
I received no reply.

Researched  BIOS attacks, and checked my bios version.
https://www.schneier.com/blog/archives/2015/03/bios_hacking.html

Talk of :
"Their exploit turns down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed.
The devious part of their exploit is that they've found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure operating systems such as Tails in the line of fire of the implant."




Also:

"The method used to get at the BIOS then allows the likes of GCHQ et al to get at other modifiable ROM in the likes of HDs, Sound Chips, Network cards and other "below the OS" areas.
Having done this they can then put the main BIOS back the way it was, so that it's harder to find what they have been up to."

---------------------------------------------


Rebooted to Tails.
Tails warns: can't check for upgrades.

Tutanota mailbox warns: Couldn't connect to server - it seems like you are offline.
But I was online, and could see my mailbox.
---------------------------------------------

First thing is:
Have you received this mail?
Could someone respond, to confirm this?

Does it seem likely that I have been hacked?
Is there any way of knowing eg. running tests?
If it has been hacked - is the laptop now unusable?
If I was hacked - have they got everything that I've done since that point (and the data off my drives)?

I'm cool either way.
What's done is done; but I'd rather know

BTW, I tried to get a riseup email, but it kept demanding an invite code.
Anyway, I figured that I first need to check with you guys re my current status, before doing anything else.

 Thanks :)

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
Tobias Frei
2018-02-02 19:12:27 UTC
Permalink
Hey,

Disclaimer: I am a regular user, not a security expert. I am not a
developer in this project, I'm subscribed to the list because I ran a Tails
mirror for some years.

Three things that came to my naive mind when reading:

- Cui bono?
- Hanlon's Razor
- Number of users vs. Coincidence

Is there any reason for an attack? Does the specific worker have any
theoretical reason to be malicious here?

Also, when a product is used by a billion people, a bug with a probability
of "only 1:1000000" will occur about 1000 times. Extremely unlikely
scenarios can suddenly actually happen when many people are using the same
software. It is almost guaranteed that somewhere in the world, an
earthquake will occur in the moment someone starts their computer. The
computer, however, did not cause the earthquake to happen.

There is a wonderful book called "Spurious Correlations". It makes fun of
exactly this problem.

Best regards
Tobias Frei
Post by j***@tutanota.com
Excuse me - I have joined this group to discuss what may have been a 'high
end' BIOS attack.
I am presuming that this group contains the most knowledgeable people.
I need that.
While the scenario outlined below is very 'Grand Jeu' I will not be at all
surprised to learn that you believe this to be a hack.
---------------------------------------
Laptop circa 2011 (bios date)
AMD DCP C-50
Tails 3.5 loaded from a USB drive
At a friends - laptop on the table in kitchen (pre-arranged over the phone).
Workmen are doing jobs.
(The IP box can give the WiFi connection at the press of a button) ;)
A Libre Office doc saved in the session - other docs saved on a mounted removable drive.
One worker comes in the kitchen - he starts tapping away on his mobile
(just 3 meters away).
Note - he has no need to be in the kitchen to get a signal - the walls are
thick, so outside would be better (if you don't have the wifi code).
He makes a final tap, and walks... and my pc shuts down.
Some code appeared, but it shut down.
Obviously it could be coincidental; but I'm sick of frigging coincidences.
The shutdown was simultaneous to his final tap on his mobile.
---------------------------------------------
Post reboot - no apparent problems, other than it seemed to take slightly
longer to log into accounts.
I carried out my communications.
I received no reply.
Researched BIOS attacks, and checked my bios version.
https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
"Their exploit turns down existing protections in place to prevent
re-flashing of the firmware, enabling the implant to be inserted and
executed.
The devious part of their exploit is that they've found a way to insert
their agent into System Management Mode, which is used by firmware and runs
separately from the operating system, managing various hardware controls.
System Management Mode also has access to memory, which puts supposedly
secure operating systems such as Tails in the line of fire of the implant."
"The method used to get at the BIOS then allows the likes of GCHQ et al to
get at other modifiable ROM in the likes of HDs, Sound Chips, Network cards
and other "below the OS" areas.
Having done this they can then put the main BIOS back the way it was, so
that it's harder to find what they have been up to."
---------------------------------------------
Rebooted to Tails.
Tails warns: can't check for upgrades.
Tutanota mailbox warns: Couldn't connect to server - it seems like you are offline.
But I was online, and could see my mailbox.
---------------------------------------------
Have you received this mail?
Could someone respond, to confirm this?
Does it seem likely that I have been hacked?
Is there any way of knowing eg. running tests?
If it has been hacked - is the laptop now unusable?
If I was hacked - have they got everything that I've done since that point
(and the data off my drives)?
I'm cool either way.
What's done is done; but I'd rather know
BTW, I tried to get a riseup email, but it kept demanding an invite code.
Anyway, I figured that I first need to check with you guys re my current
status, before doing anything else.
Thanks :)
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
_______________________________________________
Tails-dev mailing list
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
j***@tutanota.com
2018-02-02 20:50:07 UTC
Permalink
Thanks Tobias,
It is always good to know that contact has been made.
What a shame that it is not likely to be one of those scenarios that you outline :(

I do accept that it could be a bizarre coincidence, but.....

"While the scenario outlined below is very 'Grand Jeu' I will not be at all surprised to learn that you believe this to be a hack."
----------------------------------------

This must be taken seriously.
I haven't carefully crafted the email to waste peoples valuable time.
There is every reason to consider the event as a realistic scenario.

It may not be.
That would be great.

My problem is that, like most people, I never studied digital security. 
I'm having to catch up; but I can't - it's too complex.

I got Tails, and some secure mailboxes.
However, with hindsight; logically, this is merely a security layer to be overcome.

Anyway, my guess is: that is what happened.

For a variety of reasons, it would be useful to know.
Even if we can't run tests.

Can such a hack be implemented with a mobile phone?
Is the laptop in all likelihood lost?

Are there any devs that can answer these questions?

I'm one of the good guys.
I'd appreciate some help on this :)



--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
Hey,
Disclaimer: I am a regular user, not a security expert. I am not a developer in this project, I'm subscribed to the list because I ran a Tails mirror for some years.
- Cui bono?
- Hanlon's Razor
- Number of users vs. Coincidence
Is there any reason for an attack? Does the specific worker have any theoretical reason to be malicious here?
Also, when a product is used by a billion people, a bug with a probability of "only 1:1000000" will occur about 1000 times. Extremely unlikely scenarios can suddenly actually happen when many people are using the same software. It is almost guaranteed that somewhere in the world, an earthquake will occur in the moment someone starts their computer. The computer, however, did not cause the earthquake to happen.
There is a wonderful book called "Spurious Correlations". It makes fun of exactly this problem.
Best regards
Tobias Frei
Post by j***@tutanota.com
Post by j***@tutanota.com
Excuse me - I have joined this group to discuss what may have been a 'high end' BIOS attack.
I am presuming that this group contains the most knowledgeable people.
I need that.
While the scenario outlined below is very 'Grand Jeu' I will not be at all surprised to learn that you believe this to be a hack.
---------------------------------------
Laptop circa 2011 (bios date)
AMD DCP C-50
Tails 3.5 loaded from a USB drive
At a friends - laptop on the table in kitchen (pre-arranged over the phone).
Workmen are doing jobs.
(The IP box can give the WiFi connection at the press of a button)  ;)
A Libre Office doc saved in the session - other docs saved on a mounted removable drive.
One worker comes in the kitchen - he starts tapping away on his mobile (just 3 meters away).
Note - he has no need to be in the kitchen to get a signal - the walls are thick, so outside would be better (if you don't have the wifi code).
He makes a final tap, and walks... and my pc shuts down.
Some code appeared, but it shut down.
Obviously it could be coincidental; but I'm sick of frigging coincidences.
The shutdown was simultaneous to his final tap on his mobile.
---------------------------------------------
Post reboot - no apparent problems, other than it seemed to take slightly longer to log into accounts.
I carried out my communications.
I received no reply.
Researched  BIOS attacks, and checked my bios version.
https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
"Their exploit turns down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed.
The devious part of their exploit is that they've found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure operating systems such as Tails in the line of fire of the implant."
"The method used to get at the BIOS then allows the likes of GCHQ et al to get at other modifiable ROM in the likes of HDs, Sound Chips, Network cards and other "below the OS" areas.
Having done this they can then put the main BIOS back the way it was, so that it's harder to find what they have been up to."
---------------------------------------------
Rebooted to Tails.
Tails warns: can't check for upgrades.
Tutanota mailbox warns: Couldn't connect to server - it seems like you are offline.
But I was online, and could see my mailbox.
---------------------------------------------
Have you received this mail?
Could someone respond, to confirm this?
Does it seem likely that I have been hacked?
Is there any way of knowing eg. running tests?
If it has been hacked - is the laptop now unusable?
If I was hacked - have they got everything that I've done since that point (and the data off my drives)?
I'm cool either way.
What's done is done; but I'd rather know
BTW, I tried to get a riseup email, but it kept demanding an invite code.
Anyway, I figured that I first need to check with you guys re my current status, before doing anything else.
 Thanks :)
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com>> >> _______________________________________________
Tails-dev mailing list
https://mailman.boum.org/listinfo/tails-dev
Tobias Frei
2018-02-02 22:24:40 UTC
Permalink
Hi,

"in all likelihood": When you hear hoofbeats, think of horses not zebras.
;)

https://en.wikipedia.org/wiki/Soft_error

Best regards
Tobias Frei
Post by j***@tutanota.com
Thanks Tobias,
It is always good to know that contact has been made.
What a shame that it is not likely to be one of those scenarios that you outline :(
I do accept that it could be a bizarre coincidence, but.....
"While the scenario outlined below is very 'Grand Jeu' I will not be at
all surprised to learn that you believe this to be a hack."
----------------------------------------
This must be taken seriously.
I haven't carefully crafted the email to waste peoples valuable time.
There is every reason to consider the event as a realistic scenario.
It may not be.
That would be great.
My problem is that, like most people, I never studied digital security.
I'm having to catch up; but I can't - it's too complex.
I got Tails, and some secure mailboxes.
However, with hindsight; logically, this is merely a security layer to be overcome.
Anyway, my guess is: that is what happened.
For a variety of reasons, it would be useful to know.
Even if we can't run tests.
Can such a hack be implemented with a mobile phone?
Is the laptop in all likelihood lost?
Are there any devs that can answer these questions?
I'm one of the good guys.
I'd appreciate some help on this :)
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
Hey,
Disclaimer: I am a regular user, not a security expert. I am not a
developer in this project, I'm subscribed to the list because I ran a Tails
mirror for some years.
- Cui bono?
- Hanlon's Razor
- Number of users vs. Coincidence
Is there any reason for an attack? Does the specific worker have any
theoretical reason to be malicious here?
Also, when a product is used by a billion people, a bug with a probability
of "only 1:1000000" will occur about 1000 times. Extremely unlikely
scenarios can suddenly actually happen when many people are using the same
software. It is almost guaranteed that somewhere in the world, an
earthquake will occur in the moment someone starts their computer. The
computer, however, did not cause the earthquake to happen.
There is a wonderful book called "Spurious Correlations". It makes fun of
exactly this problem.
Best regards
Tobias Frei
Post by j***@tutanota.com
Excuse me - I have joined this group to discuss what may have been a
'high end' BIOS attack.
I am presuming that this group contains the most knowledgeable people.
I need that.
While the scenario outlined below is very 'Grand Jeu' I will not be at
all surprised to learn that you believe this to be a hack.
---------------------------------------
Laptop circa 2011 (bios date)
AMD DCP C-50
Tails 3.5 loaded from a USB drive
At a friends - laptop on the table in kitchen (pre-arranged over the phone).
Workmen are doing jobs.
(The IP box can give the WiFi connection at the press of a button) ;)
A Libre Office doc saved in the session - other docs saved on a mounted removable drive.
One worker comes in the kitchen - he starts tapping away on his mobile
(just 3 meters away).
Note - he has no need to be in the kitchen to get a signal - the walls
are thick, so outside would be better (if you don't have the wifi code).
He makes a final tap, and walks... and my pc shuts down.
Some code appeared, but it shut down.
Obviously it could be coincidental; but I'm sick of frigging coincidences.
The shutdown was simultaneous to his final tap on his mobile.
---------------------------------------------
Post reboot - no apparent problems, other than it seemed to take slightly
longer to log into accounts.
I carried out my communications.
I received no reply.
Researched BIOS attacks, and checked my bios version.
https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
"Their exploit turns down existing protections in place to prevent
re-flashing of the firmware, enabling the implant to be inserted and
executed.
The devious part of their exploit is that they've found a way to insert
their agent into System Management Mode, which is used by firmware and runs
separately from the operating system, managing various hardware controls.
System Management Mode also has access to memory, which puts supposedly
secure operating systems such as Tails in the line of fire of the implant."
"The method used to get at the BIOS then allows the likes of GCHQ et al
to get at other modifiable ROM in the likes of HDs, Sound Chips, Network
cards and other "below the OS" areas.
Having done this they can then put the main BIOS back the way it was, so
that it's harder to find what they have been up to."
---------------------------------------------
Rebooted to Tails.
Tails warns: can't check for upgrades.
Tutanota mailbox warns: Couldn't connect to server - it seems like you are offline.
But I was online, and could see my mailbox.
---------------------------------------------
Have you received this mail?
Could someone respond, to confirm this?
Does it seem likely that I have been hacked?
Is there any way of knowing eg. running tests?
If it has been hacked - is the laptop now unusable?
If I was hacked - have they got everything that I've done since that
point (and the data off my drives)?
I'm cool either way.
What's done is done; but I'd rather know
BTW, I tried to get a riseup email, but it kept demanding an invite code.
Anyway, I figured that I first need to check with you guys re my current
status, before doing anything else.
Thanks :)
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
_______________________________________________
Tails-dev mailing list
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
Loading...