27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Ralf-Philipp Weinmann
Tag Day 2 - 2010-12-28
Raum Saal 3
Beginn 23:00
Dauer 01:00
ID 4174
Veranstaltungstyp Vortrag
Track Hacking
Sprache der Veranstaltung englisch

The Hidden Nemesis

Backdooring Embedded Controllers

Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you:

Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN!

I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.

Archived page - Impressum/Datenschutz