A possible security breach due to short-time physical access

Recently I made a mistake and it is possible that someone, who I’m familiar with, and very very suspicious of, was able to physically access to my laptop for a very short amount of time (1 minute top). My laptop was locked. I When I unlocked the laptop I didn’t notice anything unusual for a few hours.

After few hours I noticed several weird things started happening:

  1. I charged my computer who was shutdown overnight and turned itself on (Never happened to me before). I noticed then that an option was set in the bios to turn the computer on whenever the charger is connected.
  2. My computer has started waking up during sleep (or it doesn’t go to sleep when I close the lid, I’m not really sure).
  3. Multiple power supply lines are detected, one of them is claimed to be plugged in even when the charger is disconnected.

How likely is it that despite the computer being locked and having a usb qubes the attacker connected a USB that allowed him some kind of exploitation (either OS or BIOS). Does connecting a USB, despite not being approved by the USB qube still allow a possible attack?

  • Best
1 Like

1min can be enough to modify hardware, if one is well prepared.

For USB devices it depends on your dom0 configuration (i.e. whether all USB devices are hidden from dom0 or not). Check the respective Qubes doc.

Other PCIE devices (e.g. SD card readers, CD drives, …) are generally attached to dom0 as well even with the aforementioned hardened configuration, i.e. a 1min compromise with those is also possible. However it would require a bug in the dom0 Linux kernel.

And there are a ton of bugs in those “screen lockers”…

Also, those docking ports are probably interesting from an attacker’s perspective.

If I were the attacker, I’d probably install a hardware keylogger or so though.
Changing BIOS settings without a reboot sounds rather hard in comparison.

2 Likes

More info about threat capabilities could be useful if willing to share.

More details found in
https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+screenlock

? USB attack surface or all possible security breach due to short-time physical access?

:frowning_face: Sorry not more help.

Appreciate your answer.

1min can be enough to modify hardware, if one is well prepared.

Hardware modification (in the form of opening my laptop) is out of the question, since we all were in the same open space, me (or someone else would have noticed). We weren’t in a venue which is common in to open up a laptop, it would be an extreme exception in the landscape.

Other PCIE devices (e.g. SD card readers, CD drives, …) are generally attached to dom0 as well even with the aforementioned hardened configuration, i.e. a 1min compromise with those is also possible. However it would require a bug in the dom0 Linux kernel.

This on the other hand is something I’m more concerned about.

Changing BIOS settings without a reboot sounds rather hard in comparison.

I brought up the BIOS settings because of the strange behavior I elaborated (Computer getting turned on when connecting a charger, waking up during sleep and multiple power supply sources are detected) are somewhat of indications I have for an attack that was made against me, especially considering all these strange phenomena started a few hours after the unexpected meeting with this threatening individual. I also recently noticed a new bug affecting my processor allowing for escalation of privileges with physical access. https://nvd.nist.gov/vuln/detail/CVE-2022-21198

Is it likely that someone was able to do some BIOS exploitation by connecting a PCIE device, and without making a restart?

More info about threat capabilities could be useful if willing to share.

We’re talking about high skilled very technical individuals who have special interest in me. Not a government agency or anything like that.

https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+screenlock

Very concerning. Thank you very much for the info, I’ll look into that.

? USB attack surface or all possible security breach due to short-time physical access?

I’m concerning about every possible breach due to short-time physical access. Hardware modification that require opening up the laptop is highly unlikely.

No one can give you an exact number.
Is it possible. imho: yes
Is it likely? Who knows. Why does this person have a special interest in you? How do you know he/she is not part of a government agency?
When do you consider something as “likely”?
Even if it is unlikely (say 1%), is it unlikely enough for you? At which percentage of “likely” would you consider using a new device or reinstall everything?

1 Like

Hi bored,

thanks for your reply. not looking for an exact number, just an estimation and some logical advice. assuming this individual connected a device to a docking port or a USB to my laptop, how likely is it that he’d be able to modify the BIOS without restarting the machine? Assuming extremely high technical skills.

Are there are real life examples/POCS of such an attack? When speaking of local privilege escalation in BIOS, how are this attacks usually exploited? I couldn’t find anything in the CVE I linked to regarding possible exploitation.

No one can give you an exact number.

Most decisions in life are made under uncertainty. It is rather extreme for me to replace my laptop because someone had a possible 1 minute time-window to access to my machine. In addition, if that is really the case and I have been compromised, replacing the laptop wouldn’t be enough. How would I be able to transfer the files from my old machine to the new machine? As the files may be infected as well.

This can be very costly in time and effort. That’s why I’m looking to understand more how these kind of attacks are made.

And he and he’s possible accomplices are not part of any government agency. They are individuals having personal vendetta against me A divorce would be a good analogy.

These kinds of attacks are usually targeted and state sponsored.
Depending on your configuration multiple bugs might be required. I don’t know of any such attack in real life but they are certainly possible. USB/kernel/Xen/Qubes/BIOS related CVEs are published once in a while. And these are only the published ones. Combine those …
You don’t need to restart the machine to modify the BIOS. Though BIOS malware might become active only after reboot.

Does the attacker know a lot about Qubes or your system configuration? Does he know you use Qubes at all? What is “extremely high technical skills” (Qubes user, exploit developer,…?)? What would they gain from compromising your device?
If this is on a divorce level I’d consider it as unlikely. I could come up with some edge cases (billionaire, exwife is NSA agent, etc) but …
It’s unlikely.

He and his possible accomplices are well aware that I’m a qubes user. They are all very highly skilled in programming and security, exploit development goes without saying. For the sake this conversation we can assume that they have background in qubes development, if not, they can acquire it.

Do you think any of the three arising issues I described might be related to exploitation of any kind?

  1. I charged my computer who was shutdown overnight and turned itself on (Never happened to me before). I noticed then that an option was set in the bios to turn the computer on whenever the charger is connected.
    2. My computer has started waking up during sleep (or it doesn’t go to sleep when I close the lid, I’m not really sure).
    3. Multiple power supply lines are detected, one of them is claimed to be plugged in even when the charger is disconnected.

I’m not really sure what else to say, you’re kinda right in your previous statement:

Even if it is unlikely (say 1%), is it unlikely enough for you? At which percentage of “likely” would you consider using a new device or reinstall everything?

I guess the question now should be how would I be able to transfer much necessary from my old machine.

Usually (with some exceptions) attackers want to go unnoticed. What are the goals of the attackers?
It could maybe be due to an attack, some other issue or you find something which has already been happening but you are just looking closer.

I can’t really answer that question. You’d need to compare the device against a known good one.
Dump firmware(s). Maybe compare behavior like if the good device also already shows the same number of power supply lines.
Compare file system. Etc.
There are some related threads around here, same for restoring the OS like: Compromise recovery in Qubes OS | Qubes OS

1 Like

BIOS modification is really advanced stuff as it requires lots of low-level skills and an exploit for the exact laptop model and BIOS version you use, i.e. it is very much targeted and requires a lot of preparation with at least one identical laptop to pull it off in 1min.

I’d consider that unlikely unless you’re up against some really devoted attacker.

As I’ve said, hardware gadgets such as USB keyloggers are commodity and well-tested hardware available at < 100$ and thus more likely to be used.

2 Likes

Thank you for describe threat. Sorry to read. As tripleh wisely say BIOS mod “is very much targeted and requires a lot of preparation with at least one identical laptop to pull it off in 1min.”

I also like to know if Qubes mitigate all docking port (for example resume from suspend hardware attacks) when sys-usb setup correct. Think it does but S3 resume and OROM risks if exist, are beyond my knowledge.

Unlikely in my opinion but I not expert. Unless he and his possible accomplices skilled like Trammell Hudson and have strong personal vendetta I guess low risk.

:arrow_up: This @bored question is excellent. Make wonder what you try most to protect. Is data compromise, hardware integrity, ongoing monitoring risk, et cetera?

Not nice thought :frowning_man: but maybe consider how handle data exposure as well as data migration.

:arrow_up_small: Another important question to consider I think.

  • Best

Thanks you all for the replies. You’ve given me quiet a lot to think about. I really appreciate your help, and I’m sorry I cant share more details regarding the possible attackers I’m facing and the steps I’ve taken.

As I’ve said, hardware gadgets such as USB keyloggers are commodity and well-tested hardware available at < 100$ and thus more likely to be used.

Forgive me for the lack of knowledge, but most hardware keyloggers I looked at are connected to the USB port. So I would obviously notice them. In addition, my sys-usb qubes should also show that there’s a usb device connected, right? How would a concealed hardware keylogger would be installed on my laptop?

Another thing I’m wondering about, assuming the attacker was able to connect a device to my docking port or a USB port, would he also need a 0day exploit for dom0 or xen? Or can somehow connecting the device lead to code execution in the BIOS, even though the desktop is locked, and assuming that no bug in the screen locker was exploited.

Leave your computer unattended and you will not notice it.