27C3 - Version 1.6.3
27th Chaos Communication Congress
We come in peace
Speakers | |
---|---|
Ralf-Philipp Weinmann |
Schedule | |
---|---|
Day | Day 2 - 2010-12-28 |
Room | Saal 3 |
Start time | 23:00 |
Duration | 01:00 |
Info | |
ID | 4174 |
Event type | Lecture |
Track | Hacking |
Language used for presentation | English |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
The Hidden Nemesis
Backdooring Embedded Controllers
Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you:
Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN!
I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.