back to article Intel Xeon workhorses boot evil maids out of the hotel: USB-based spying thwarted by fix

Ex-Intel security dragons have breathed fresh fire into the old maxim: if someone has physical access to your machine, you're pwned. US-based Eclypsium, founded by former Chipzillans Yuriy Bulygin and Alex Bazhaniuk, confirmed this week it is possible to pull off a classic evil maid attack against Intel-powered servers and …

  1. Steve Davies 3 Silver badge
    Joke

    and in other news

    Sales of Rapid setting Epoxy Resin Glue have peaked this week. Retailers are mystified by the increase but as their stock control systems were recently hacked they have no idea how much stock they have left.

    1. Christian Berger

      Re: and in other news

      Actually what's best is to use nailpolish with glitter or stripes photograph is and place to the photograph as an ad into a newspaper. That way you'll have a constant public hash of your security measure.

      BTW there's little else you can do otherwise against "evil maid" attacks, since that maid can just as well replace the mainboard.

      Of course the failure on Intels side is to expose the debug interface on some connector that's actually moderately usefull for other things, so removing it is hardly ever an option.

      1. DropBear
        Trollface

        Re: and in other news

        Maybe they should have used the game port - it used to carry MIDI signals if I recall correctly, which should be bidirectional so there's your comms interface right there; and I suspect the intersection of hardcore retro-gaming musicians and server admins is really, really, really close to the empty set...

        1. Alistair
          Windows

          Re: and in other news

          @DropBear:

          Hell no, I know three off the top of my head, and thats in a small pool!

      2. LDS Silver badge
        Facepalm

        "the failure on Intels side is to expose the debug interface"

        Should they add a "debug port"?

      3. TheVogon

        Re: and in other news

        "since that maid can just as well replace the mainboard."

        But then the system wouldn't boot as your encryption keys for Secure Boot are in the TPM.

        1. Christian Berger

          Re: and in other news

          "But then the system wouldn't boot as your encryption keys for Secure Boot are in the TPM."

          If you just want got get around Secure Boot, that's trivial. You replace the whole computer with an identically looking one. This computer only asks the user for their password and sends it via radio to you. It will then pose as if the password is incorrect or the computer is broken.Then you have both the original computer and the password, which you can use to get all the data...

          The pro attack then will swap the computer back, the user will think they momentarily forgot their password and will be to embarrassed to ever report it.

  2. Denarius Silver badge

    so if I understand this correctly

    the old securely locked door on server room is still #1 in security ? So much progress...

    1. wyatt

      Re: so if I understand this correctly

      I've been reminding people of this for years but they never think basic any more.

  3. TechDrone
    Black Helicopters

    Should be disabled in firmsware

    And how do we know it really is disabled just cos the computer tells us it is?

    1. theblackhand

      Re: Should be disabled in firmsware

      It it's not fixed by this fix, it'll be fixed by the next one. Or the one after that. Or the one after that. Or the one after that. Or the one after that. Or the one after that. Or the one after that. Or the one after that.

      Look...its still less patches than Adobe Flash OK? You've removed Adobe Flash, ok.... hmmmm

      Regards

      Head of Intel Security

      "Because security is important to somebody... somewhere.... I guess"

    2. Voland's right hand Silver badge

      Re: Should be disabled in firmsware

      Hot glue gun is your friend. Fast. Safe. Very good insulator. Does not dissolve or otherwise damage the board. While easy to "inject", very difficult to remove without triggering a chassis intrusion alert and/or removing the server.

      Just walk down the isle and perform a "firmware fix" on all the suspects.

      1. short

        Re: Should be disabled in firmsware

        Bosch do a USB-charged wireless hot melt glue gun for this sort of thing. I thought it was a daft idea until I saw a friend's and got one, Highly recommended.

        1. nil0
          Facepalm

          Re: Should be disabled in firmsware

          > Bosch do a USB-charged wireless hot melt glue gun for this sort of thing.

          As long as you remember to charge *before* use. :-)

          1. Yet Another Anonymous coward Silver badge

            Re: Should be disabled in firmsware

            > Bosch do a USB-charged wireless hot melt glue gun for this sort of thing.

            And you check that the gun isn't itself hacked ....

  4. Anonymous Coward
    Anonymous Coward

    Chipzillans

    Much prefer Chipzillians.

    Conjures up whole new image.

  5. elwe

    How many JTAG interfaces are there in our tech, just waiting for somebody to pop the case open and replace the firmware. Why go to all the effort of hacking the OS, which might be secured with UEFI, when you can just replace the bios/firmware.

    Most JTAG interfaces probably don't end in headers in production kit, but will still be there and easy enough to connect to with a 3d printed widget to align some wires.

    Not much prevents this kind of attack from an evil maid, other than gluing devices together so badly they cannot be opened for repair. I guess that is another security plus for Apple...

    1. stiine Silver badge
      FAIL

      snmpv3

      Link state alerts if you power the server off.

      Chassis alerts if you open the cover.

  6. Version 1.0 Silver badge

    There's a simple fix for USB hacking.

    It's time to reinvent - rewire the internal USB connections on the server, Pin 1 - AC live, Pin 2 AC live, Pin 3 neutral, Pin 4 neutral.

    Problem solved.

    1. Joe Werner Silver badge

      Re: There's a simple fix for USB hacking.

      Neat! Reminds me of the BOFH episode with the "luggable" that was filled with batteries and inverters to sabotage stuff at a tradeshow...

      I would desolder the port from the main board, turn it around (people won't check) so you have less danger of connecting to the main board. Then connect AC to the pins as suggested above.

    2. Doctor Syntax Silver badge

      Re: There's a simple fix for USB hacking.

      "rewire the internal USB connections on the server, Pin 1 - AC live, Pin 2 AC live, Pin 3 neutral, Pin 4 neutral."

      You could do even better if you have 3 phase available....

      1. stiine Silver badge
        Mushroom

        Re: There's a simple fix for USB hacking.

        Wouldn't that just turn the USB cable to plasma?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021