字幕列表 影片播放 列印英文字幕 There's been this article recently a report about a hardware hack I just thought the interesting sort sure about what you think about it and whether it's something that is easy to do or always possible the original article alleged that Certain servers being supplied to companies were being doctored for developers with extra Hardware being added so that they could then be used to Exfiltrate information from the companies. The report seems to have been discredited quite heavily by Other parties whether it actually happened or not. I don't know. I'm not seen any of the servers I'm not a hardware or cyber security expert but it's certainly an interesting question to talk about Well, what would you be wanting to do? And why would you want to say perhaps do it in? hardware So, I've got a server motherboard here so it's a standard machine but often servers come with extra support to make them configurable So this is an Intel Xeon Processor and this is a for management control when installing lots of servers You will put them in racks of places in your data center you've got Necessary storage cooling and things and one of the things you don't have to do is when something goes wrong You need to reboot your machine to have to sort of find out where the machine is Turn it off and on again plug a keyboard and monitor in it to do any sort of maintenance on it So what modern servers do is they have these chips on there which generally computers in their own? Right and they enable you to connect to the machine? Even when it's switched off and do certain things with it, like turn it on turn it off and even interact with it So I've got a machine at home with all of these things in and if I just bring it up I'm now connected to it and it's got those things so I can look at the sensors see what the fan speed is I've got options to turn it off. Turn it up. Turn it back on again reset it On some of them I can either reflash the BIOS or the UEFI in this case and generally managed to the server and to the full extent that I can actually Bring up effectively a virtual console a virtual keyboard and display as it's done here where I can interact with the machine so I could Login put a ISO image of a CD or a DVD in there and install the operating system Why would you be wanting to do this? And why would you decide to do it via hardware rather than just getting someone to run some malware? And so we need to sort of clot back and think about this. So the alleged what's happened, is that the third party? Needed this decided they wanted to infiltrate Hackney computers Hackney computers made up an identification with actually be the company's live-in go to see should be Animals were harmed in making this completely absurd Hackney computers that ordered I say Several thousand servers and so because when you're building that menu it's going to be a special order so, you know probably who they're going to and the The story goes that an extra chip was inserted onto the motherboard of those machines that were destined for Hackney computers, I fully believe that it's possible to do this I think there's enough ways. You could connect things and actually what we want you to do We want you to get our code running inside their environment now if you think about a traditional companies where they traditionally lay out Their data centers and their networks is that you'll have a perimeter firewall around things to stop things getting in It's a bit like the old fashioned medieval castle right once you're inside the castle wall you've got a moat around it and the drawbridge of the trough was just pulled up then you can't get in but if you've got someone inside already Perhaps is away by a shining light shooting an arrow over the walls that they could communicate One possibility is that they've added a little bit of extra code Into the board management control and that ship contains that extra code and then they've got a machine Ok Very low powered one on the inside of the network While that forward management control of the BMC is likely to be on a network which is limited in what it can connect to It's probably likely to be able to connect to other board management controllers on the same network And of course as we've seen you can connect to the board management controller You can then log into the machine. So one potential thing is that they Use the board management control in the same way that we might put a Raspberry Pi or the cheap computer on the network And then we can use it as a staging pose to connect to other things these board management controls that can also Do things like flash the BIOS? And so it's potential that actually this is used as a sort of a Staging post to actually attack the machine itself And again, I think you would we have to assume that they didn't actually know what was going to be running here They could probably hazard a guess at the operating system and unlike the board management controller That machine probably is likely to be able to connect directly out to the internet perhaps to download software updates and things so normally when a machine is running you have different modes a CPU can be executing in you have a Sort of mode where the machine has access to everything and that's where your operating system works and depending whether you're on x86 and armor six eight thousand machine it might make me known as ring zero kernel mode supervisor mode But at that level you've got full control of the hardware the machine if you can do that you can then stop it being seen By people using the machines you can hide it sort of rootkit as it tends to be known but you think I'll probably get it running as Supervisor mode and there's two ways. You can do it one. You can find some sort of exploit Some part of the operating system that isn't well written so that you can get it tricky to start running your code And so that's where you see the sort of exploits things you find some way of tricking the software to do something that didn't intend to do make use of that to Take control of the system The other option is that you just get the code loaded in the place. It's the operating system So you modify the operating system itself when this machine shipped to hack me computers Then pack free computers will install that operating system of choice and see what you can't modify that then But how does that operating system get loaded off? Well that gets loaded off disk by another program called the bootloader and The bootloader is a program on the disk which gets loaded by the bios or the UEFI and the bios of the UEFI depending on the machine is on an EEPROM on The motherboard which can be flashed by the board management controller And so you can see another potential way that you could hack the machine is that you say, okay I'll put some hardware on the machine which modifies the board management controller to modify the bios of the ufi to modify the bootloader after it's been loaded because the voice has the permission to do that at that point to modify the operating system after that's loaded to Embed the malware I want to get executed and so it'd be a nightmare to be over because he running software Which modifies software which modifies software? Which modifies and I think I've got the right number of levels of indirection there Actually, there is another way you could potentially trick things there in that We talk about ring zero being the lowest level but actually when we've added support for virtual machines and hypervisors is now a ring Minus one as it tends to be referred to and so it's potentially possible that you could actually get a hypervisor running before Anything else on the machine and so the machine was running in a virtualized environment that they didn't know about So that's another potential way of doing it and again you then have access to be able to scrape memory and find things that were the software you can put it on let it run delete it and It's as if it was never there type sort of thing with the hardware You can't really get into the dead center necessarily and take all the chips out that you've put in there So you probably will make the chips look like they're meant to be there like they're something else or hide them So the way a modern printed circuit board is constructed is a printed circuit board that Scott several layers of fiberglass sandwiched together With traces of the tracks of the circuit running through them So you got the top layer and the bottom layer but often several three or four layers inside as well These only got six layer PCBs and things the story goes that actually now the chips are so small that they're embedded between the layers of the printed circuit board so that actually You wouldn't necessarily notice it. I think you'd want to design your Hardware exploit still make it look like it was meant to be there it's only if you had sort of one with it and one without it that you perhaps Noticed that there was something odd about that machine Detecting it would be difficult. I mean the stories They've been sort of suggested are that they're detecting it mainly through odd network access And so again that suggests what the software is doing it is connecting just other machines that I was not expected to either inside the company or outside the company and accessing things in a way that you wouldn't expect you to do and that is probably your sort of best bet for Detecting these sort of things is all these machines doing what you want them to do And the best way to do that is to sort of monitor your network and run software Which is sort of learning what's expected traffic and non expected traffic and liking things because obviously if you've got a huge data center Thousands of machines in it spotting the needle in the haystack Is a tricky problem so they may not connect directly to a server and upload it all But it may well be that they just do a domain name lookup on Certain domains depending on certain bits of data being there. And so and that's enough to tell people that actually ok This machine here is just that requested a specific domain that Doesn't exist that means that it's found what we asked it to look for and we've just returned a specific IP address perhaps that says go and Destroy all the machines at Hackney computers or whatever is you wanted to do Which means that we don't tend to use it very often horse is much further up the list So a correct and batteries further up the list as well. I mean, we all have phones we talk about batteries all the time. So If you hypothetically picked for words that were in the top 500 then suddenly the search base is 500 to the power 4
B1 中級 硬件黑客 - Computerphile (Hardware Hacking - Computerphile) 6 1 林宜悉 發佈於 2021 年 01 月 14 日 更多分享 分享 收藏 回報 影片單字