Wednesday, September 12 2007
Last week I moved my last computer to full disk encryption (FDE if you need an acronym). The last
computer was my desktop/laptop therefore I thought it will be slightly more work since I wanted
to have suspend to disk (aka. hibernation) - it turned out to be quite easy after all (see 1).
Previously I had setup my rented root server and my home server using a small hand build system
you can ssh to in order to open the root partition and continue to boot the real system (see 2).
In the recent days I did some research on possible attacks against fully crypted
computer systems. Basically there is only one attack (if we rule out a brute force attack against
the encryption key) this is keylogging. Keylogging basically is trying to capture all key strokes
in order to obtain the passphrase for the crypted disk. Keylogging can be be done in either soft- or
hard-ware both have advantages and disadvantages for both the attacker and the victim (the owner of
the crypted disk).
Hardware keyloggers basically are small devices that are plugged in between the
computer and the keyboard. The device then just logs all key strokes that it sees. The big
advantage (for the attacker) is that this is totally OS independent. The big disadvantage
for attacker of course is that he needs physical access to the victims computer twice (once
to install once to retrieve the logged data). Further the victim can more or less easily find
a hardware key logger if he cares to look for one. Also there are PCI-card based keyloggers
(see [3]) that are probably harder to find (the computer would need to be opened). There are also
keyboards with build in keyloggers (see [4]) but I doubt that these are any good since most
people would recognize if their keyboard has suddenly changed. Of course you could also
open up the victims keyboard and place the keylogger there, but there is always a chance that
you break the keyboard while doing this. The biggest disadvantage of hardware keyloggers is that
these can't monitor remote login sessions which can also be used to decrypt and boot a computer,
this is where software keyloggers come into play.
Software keyloggers come in two variants, the general kernel/driver based keylogger
that just monitors all keyboards and terminal devices (e.g. a remote session) and the
application based keylogger where a specific application is modified so that it logs some specific
or all input (e.g. the decrypt command could be modified to log the passphrase). So software
keyloggers have the advantage that they can log more data (local + remote sessions) but have
the big disadvantage that the attacker needs system level access to the plain not encrypted part of the
computer (e.g. the boot partition) in order to place the modified kernel or binaries. If the hardware
is probably secured (e.g. not booting from external disk or cdrom) the software manipulation
will take really long since the hard disk would need to be removed (or at least the PC would need to
be opened). Also this might not be possible at all if the victim always boots the computer
from an USB stick that he carries around with him at all times. In this case there wouldn't be
a plain boot partition on the PC and therefore nothing to modify. If the victim still needs
to type-in the crypto password a hardware keylogger could catch him.
Laptops seem special while searching for keyloggers I only found that laptops are harder
to attack since they are relatively small and therefore don't have much space to hide a hardware
keylogger. The only thing I found was a Mini-PCI card based keylogger (see [5]) but since most
laptops have Mini-PCI wireless cards this looks quite strange? Of course you could always
disassemble the laptop to add a keylogger but this also takes a lot of time and there is
always the chance to break it. The best time to do this would be if you send your laptop
in for repair.
PDAs I like my Palm Tungsten T5 because it supports complete filesystem encryption. Of course
this encryption is not verifiable since the source is not open but at least it is a secure
algorithm (AES).
Backups don't forget to encrypt your backups. Having a fully crypted PC and plain text
backup is just stupid. Good backup software should support this.
Otherwise PGP/GPG your ZIPs/tarballs/whatever.
I would say that keylogging is only feasible under certain conditions: the attacker is extremely
knowledgeable and the victim is some how unaware. All other cases would involve a huge portion
of luck for the attacker.
[1] good starting point for crypto suspend: howto completly encrypted harddisk including suspend to encrypted disk with ubuntu
[2] small howto on: build a crypted root server
[3] PCI-based keylogger
[4] Keyboard with built in keylogger
[5] Mini-PCI keylogger
[6] USB keylogger