Placeholder Image

字幕列表 影片播放

  • There's been this article recently a report about a hardware hack

  • I just thought the interesting sort sure about what you think about it and whether it's something that is easy to do or always

  • possible the original article alleged that

  • Certain servers being supplied to companies were being

  • doctored for developers with extra Hardware being added so that they could then be used to

  • Exfiltrate information from the companies. The report seems to have been discredited quite heavily by

  • Other parties whether it actually happened or not. I don't know. I'm not seen any of the servers

  • I'm not a hardware or cyber security expert but it's certainly an interesting question to talk about

  • Well, what would you be wanting to do? And why would you want to say perhaps do it in?

  • hardware

  • So, I've got a server motherboard here so it's a standard machine but often servers come with extra support to make them configurable

  • So this is an Intel Xeon

  • Processor and this is a for management control when installing lots of servers

  • You will put them in racks of places in your data center

  • you've got

  • Necessary storage cooling and things and one of the things you don't have to do is when something goes wrong

  • You need to reboot your machine to have to sort of find out where the machine is

  • Turn it off and on again plug a keyboard and monitor in it to do any sort of maintenance on it

  • So what modern servers do is they have these chips on there which generally computers in their own?

  • Right and they enable you to connect to the machine?

  • Even when it's switched off and do certain things with it, like turn it on turn it off and even interact with it

  • So I've got a machine at home with all of these things in and if I just bring it up

  • I'm now connected to it and it's got those things so I can look at the sensors see what the fan speed is

  • I've got options to turn it off. Turn it up. Turn it back on again reset it

  • On some of them I can either

  • reflash the

  • BIOS or the UEFI in this case and generally managed to the server and to the full extent that I can actually

  • Bring up effectively a virtual console a virtual keyboard and display

  • as it's done here where I can interact with the machine so I could

  • Login put a ISO image of a CD or a DVD in there and install the operating system

  • Why would you be wanting to do this?

  • And why would you decide to do it via hardware rather than just getting someone to run some malware?

  • And so we need to sort of clot back and think about this. So the alleged what's happened, is that the third party?

  • Needed this decided they wanted to infiltrate

  • Hackney computers Hackney computers made up an identification with actually be the company's live-in go to see should be

  • Animals were harmed in making this completely absurd Hackney computers that ordered I say

  • Several thousand servers and so because when you're building that menu it's going to be a special order

  • so, you know probably who they're going to and the

  • The story goes that an extra chip was inserted onto the motherboard of those machines that were destined for

  • Hackney computers, I fully believe that it's possible to do this

  • I think there's enough ways. You could connect things and actually what we want you to do

  • We want you to get our code running inside their

  • environment now if you think about a traditional

  • companies where they traditionally lay out

  • Their data centers and their networks is that you'll have a perimeter firewall around things to stop things getting in

  • It's a bit like the old fashioned medieval castle right once you're inside the castle wall

  • you've got a moat around it and the drawbridge of the trough was just pulled up then you can't get in but if you've got

  • someone inside already

  • Perhaps is away by a shining light shooting an arrow over the walls that they could communicate

  • One possibility is that they've added a little bit of extra code

  • Into the board management control and that ship contains that extra code and then they've got a machine

  • Ok

  • Very low powered one on the inside of the network

  • While that forward management control of the BMC is likely to be on a network which is limited in what it can connect to

  • It's probably likely to be able to connect to other board management controllers on the same network

  • And of course as we've seen you can connect to the board management controller

  • You can then log into the machine. So one potential

  • thing is that they

  • Use the board management control in the same way that we might put a Raspberry Pi or the cheap computer on the network

  • And then we can use it as a staging pose to connect to other things these board management controls that can also

  • Do things like flash the BIOS? And so it's potential that actually this is used as a sort of a

  • Staging post to actually attack the machine itself

  • And again, I think you would we have to assume that they didn't actually know what was going to be running here

  • They could probably hazard a guess at the operating system and unlike the board management controller

  • That machine probably is likely to be able to connect directly out to the internet perhaps to download software

  • updates and things so normally when a machine is running you have

  • different modes a CPU can be executing in you have a

  • Sort of mode where the machine has access to everything and that's where your operating system works and depending whether you're on

  • x86 and armor six eight thousand machine it might make me known as

  • ring zero kernel mode supervisor mode

  • But at that level you've got full control of the hardware the machine if you can do that you can then stop it being seen

  • By people using the machines you can hide it sort of rootkit as it tends to be known

  • but you think I'll probably get it running as

  • Supervisor mode and there's two ways. You can do it one. You can find some sort of exploit

  • Some part of the operating system that isn't well written so that you can get it tricky to start running your code

  • And so that's where you see the sort of exploits

  • things you find some way of tricking the software to do something that didn't intend to do make use of that to

  • Take control of the system

  • The other option is that you just get the code loaded in the place. It's the operating system

  • So you modify the operating system itself when this machine shipped to hack me computers

  • Then pack free computers will install that operating system of choice and see what you can't modify that then

  • But how does that operating system get loaded off? Well that gets loaded off disk by another program called the bootloader and

  • The bootloader is a program on the disk

  • which gets loaded by the bios or the UEFI and the bios of the UEFI depending on the machine is on an EEPROM on

  • The motherboard which can be flashed by the board management controller

  • And so you can see another potential way that you could hack the machine is that you say, okay

  • I'll put some hardware on the machine which modifies the board management controller

  • to

  • modify the bios of the ufi to modify the bootloader

  • after it's been loaded because the voice has the permission to do that at that point to modify the operating system after that's loaded to

  • Embed the malware

  • I want to get executed and so it'd be a nightmare to be over because he running software

  • Which modifies software which modifies software?

  • Which modifies and I think I've got the right number of levels of indirection there

  • Actually, there is another way you could potentially trick things there in that

  • We talk about ring zero being the lowest level but actually when we've added support for virtual machines and hypervisors is now a ring

  • Minus one as it tends to be referred to and so it's potentially possible that you could actually get a hypervisor

  • running before

  • Anything else on the machine and so the machine was running in a virtualized environment that they didn't know about

  • So that's another potential way of doing it and again you then have access to be able to scrape memory and find

  • things that were the software you can put it on let it run delete it and

  • It's as if it was never there type sort of thing with the hardware

  • You can't really get into the dead center necessarily and take all the chips out that you've put in there

  • So you probably will make the chips look like they're meant to be there like they're something else or hide them

  • So the way a modern printed circuit board is constructed is a printed circuit board that Scott several layers of fiberglass sandwiched together

  • With traces of the tracks of the circuit running through them

  • So you got the top layer and the bottom layer but often several three or four layers inside as well

  • These only got six layer PCBs and things

  • the story goes that actually now the chips are so small that they're embedded between the layers of the printed circuit board so that actually

  • You wouldn't necessarily notice it. I think you'd want to design your

  • Hardware exploit still make it look like it was meant to be there

  • it's only if you had sort of one with it and one without it that you perhaps

  • Noticed that there was something odd about that machine

  • Detecting it would be difficult. I mean the stories

  • They've been sort of suggested are that they're detecting it mainly through odd network access

  • And so again that suggests what the software is doing it is connecting just other machines that I was not expected to

  • either inside the company or outside the company and

  • accessing things in a way that you wouldn't expect you to do and that is probably your sort of best bet for

  • Detecting these sort of things is all these machines doing what you want them to do

  • And the best way to do that is to sort of monitor your network and run software

  • Which is sort of learning what's expected traffic and non expected traffic and liking things because obviously if you've got a huge data center

  • Thousands of machines in it spotting the needle in the haystack

  • Is a tricky problem so they may not connect directly to a server and upload it all

  • But it may well be that they just do a domain name lookup on

  • Certain domains depending on certain bits of data being there. And so and that's enough to tell people that actually ok

  • This machine here is just that requested a specific domain that

  • Doesn't exist

  • that means that it's found what we asked it to look for and we've just returned a specific IP address perhaps that says go and

  • Destroy all the machines at Hackney computers or whatever is you wanted to do

  • Which means that we don't tend to use it very often horse is much further up the list

  • So a correct and batteries further up the list as well. I mean, we all have phones we talk about batteries all the time. So

  • If you hypothetically picked for words that were in the top 500 then suddenly the search base is 500 to the power 4

There's been this article recently a report about a hardware hack

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級

硬件黑客 - Computerphile (Hardware Hacking - Computerphile)

  • 6 1
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字