Anyone with a Screwdriver Can Break In! By: Jay Beale -- jay@bastille-linux.org August 28, 2000 - This article will discuss the second weakest layer of computer security, Physical Security. As we'll see, any attacker with physical access to a computer, a little ingenuity, and sufficient time can compromise the system. By way of example, I'll demonstrate attack and defense on a Red Hat Linux box and show how you might slow down, or even prevent, these kinds of attacks. You don't need a Linux machine, or even technical responsibility, for this article to be useful. This problem is independent of operating system and this article is general enough to be useful to every level of computer user. Be warned, though - you'll probably only be able to slow down a determined attacker. Breaking in Through the LILO Prompt If you boot a Red Hat Linux 6.x system right now, you can boot into single user mode like this: LILO: linux single This will place the machine in Runlevel 1, or single-user mode. You'll be logged in as the superuser, root, and you won't even have to type in a password! This is not a backdoor, as such - this mode is generally used for system maintenance, which is a good idea. Requiring no password to boot into root here is probably a bad idea! You can fix this by editing /etc/inittab. Insert the following line, right after the "initdefault" line: ~~:S:wait:/sbin/sulogin This will require a password to boot into single-user mode by making init run sulogin before dropping the machine to a root shell. sulogin requires the user to input the root password before continuing. So, what if we've password-protected single-user mode? Well, you can still have root on the machine if you type: LILO: linux init=/bin/bash This boots the Linux kernel, but runs the Bourne-Again-Shell (bash) as the first (non-kernel) process, in place of init. Since the kernel runs init as the root user, this shell is run as root. You now have an instant rootshell! OK, so how do we stop this and attacks like it? We really should restrict who gets access to the LILO prompt. LILO permits this, natively. First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file: restricted password=SOME_PASSWORD_YOU_CHOOSE We can also protect the LILO prompt by setting the delay time to 1 millisecond, providing an attacker with insufficient time to add options[34]2. You can accomplish this by editing /etc/lilo.conf and then re-running lilo. Comment out any lines that read "prompt" by placing a # in front of them. Then insert the line: delay=1 near the top of the file. Once you're done, make sure to re-run lilo to effect your changes, by typing lilo at the root prompt. Type man lilo and man lilo.conf to learn more about the LILO Linux [kernel] Loader. OK, so we've secured lilo - have we completely locked an attacker out of superuser access? Sadly, we haven't, because an attacker with physical access can... Boot Via a Floppy/CD-ROM/Other Bootable, Removable Medium Well, if your computer has a floppy or CD-ROM drive, an attacker can usually boot the system from a bootable floppy/CD-ROM. I carry around a Tom's Root Boot disk in my laptop case, for occasions where someone forgets their root password (or a machine is too munged to boot properly). I boot the system from my Linux floppy disk, and then mount the drive, like this: # mkdir /jay # mount /dev/hda5 /jay # vi /jay/etc/passwd Since I booted with my own floppy disk, I'm root on the machine. If the drive isn't encrypted, I can mount it (as above), edit the passwd file, and create myself a root equivalent account, by adding a line like this: jay::0:0:Security Admin:/:/bin/bash This creates a non-passworded root-equivalent account named 'jay'. From here, I can repair the damage to the box, delete the account and go about my business. Unfortunately, an attacker can use the same technique illegitimately to quickly root a box. We can prevent this, initially, by restricting the machine to booting only off the hard drive. This technique is useless if the computer won't boot off a floppy/CD-ROM. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible. OK, so now an attacker can't simply insert a floppy disk to root the box, nor can he get easy access through the LILO prompt. Does he have other methods? Of course! He can... Remove the Boot Device Restrictions! A knowledgeable attacker, upon finding that he can't boot from removable media, will simply follow the same procedure you just did, simply changing the boot device list back! Well, we can combat this, but you should be seeing two primary effects: 1. Stop less knowledgeable attackers by knowing just a little more than them. 2. Slow down and deter the knowledgeable attacker. We'll talk about these later - I just didn't want you to lose hope halfway through the article... So, the attacker can undo the change we just made to your system's boot restrictions. Well, most systems, including Intel-based hardware, allow you to set a password on the NVRAM, EEPROM, CMOS or whatever. This is an easy option to find, yet still an easy one to neglect. Place a password on your system's BIOS. This, combined with the options above, will stop a large percentage of attackers dead in their tracks. The remaining few might... Remove the BIOS/NVRAM/.../CMOS Password! OK, our attacker is annoying. He's also burning plenty of time. If he can get sufficient access, he might be able to use a tool to discover the BIOS password from inside Linux. Usually, he can't do this. Instead, since he has physical access, he can take the simpler approach. On Intel hardware, the CMOS/BIOS configuration is maintained via a small battery, often similar to a watch battery. If you disconnect this battery for a few moments, the RAM blanks, and the system forgets its password. While some systems then default to a manufacturer's password, there are online tables of these which our attacker can probably consult and/or partially memorize. What do we do here? Well, we can place a lock on the case, so it can't be easily opened. With time, and tools, these locks can be picked or broken. Further, the attacker might be able to compromise the lock by harming the case directly... Still, the lock (and strong case) will slow him down and may deter him to the extent that he leaves. Further, you might just remove the floppy drive, CD-ROM drive, and any other external drive/disk mount ports (Zip disk, parallel port...). What then? Remount the Hard Drive on Another Machine! Remember our mounting trick with the floppy disk from earlier? This can be applied from another host! While this may seem impractical, I'll note that I saw a deck-of-cards-sized computer just a few weeks ago, at DefCon, that could be used for this very purpose. Boasting a 340MB hard disk, with a Red Hat Linux install and a free IDE port, this ultra-portable computer could be used easily for this purpose. Just plug the hard drive into this system or another system you've got control of, and you've got somewhat-less-that-quick superuser access. All we need, generally, is a screwdriver to open the target machine to get at the hard drive! Again, the case locks can help here, but they only serve to slow down a determined attacker. So, suppose we're still working on stopping the determined attacker. This guy is a total pain. The physical access makes the machine weak! So, what if we could remove the physical access? We place the machine in a locked room, with a steel door, hinged on the inside, with multiple non-trivial locks. Only the monitor, mouse and keyboard are accessible. We're truly safe now, right? Well, don't start patting yourself on the back just yet. Check those walls. Most of you secure your server rooms behind walls that don't quite go up past the ceiling... What do I mean, you ask? Consider the ceiling tiles around the room. Push one up, right near your inter-office walls, and you might find plenty of crawl space over that wall into your "secure" server room. Once, when I locked myself out of my own office, I was told to use this space to unlock the door from the inside. Most offices don't think about this design in their physical security audit! OK, OK, I'm getting a little outrageous by now, yes? Eh, it really depends on how "secure" you need your computers to be. As I hope I've shown, it truly is difficult to stop an attacker who has time and unsupervised physical access to your computers. So, what do you do? Remove the Opportunity and Deter the Attacker You really can stop most attackers, simply by not providing them with the unsupervised opportunity and time required to carry out an attack. If you followed the path our attacker might take, you'd note that all of this took time. He had to reboot the host several times. This all takes time. If you harden the LInux LOader (lilo) sufficiently, set boot device restrictions and secure the method of changing such, our attacker will be getting into the realm of opening his target computer's case, possibly defeating locks along the way. While this part takes time, it's also highly likely to be noticed by anyone monitoring the area. If you've given physical access because the target is in a computer lab, you can hire a lab monitor to watch for anything this noticeable. If the physical access is accidental/unintended, you can look into door locks, alarm systems, and perhaps even guards. In any case, now that you understand the dangers, you'll be able to think about this problem more carefully and choose the measures that fit your organization. Not Really a Losing Battle? OK, so, against a determined attacker, with sufficient time and no supervision, you've got little chance, right? Well, not quite. Most attackers don't quite think of all of these methods, or don't have the time/energy/wherewithal to apply them. Further, I would think that most attackers wouldn't choose a method that might be so time-intensive, when they can be caught on the scene. So, work to foil all but the most capable attacker with the steps above. Secure the operating system boot loader, the physical boot loader (BIOS...) and the hardware itself. The few attackers left will require lots of time to break in, which, along with fear of being caught, will often provide an ample deterrent. Really, deterring the attacker is the name of the game for many of us. If we could get anywhere near to making a computer impossible to break into, it would be considered fairly unusable by most. So, we compromise. We remove all of the "easy" methods of breaking in, like the 30-second LILO: linux single or boot floppy "exploits" demonstrated above. We try to go as many steps further as we can, without disrupting normal use. If we can make our machines enough of a pain to root, most attackers will go after someone else. The remainder we'll have to try to catch or deter with other methods, like security systems and lab monitors. In the end, always remember, the attacker is a human being, with plenty of potential for creativity and brilliance. Don't underestimate him/her! Good luck! Footnotes 1. The absolute weakest layer of computer security is widely believed to be the social, or "people," layer. Crackers like Kevin Mitnick often broke in simply by calling users, pretending to be system administrators, and asking said users for their passwords. 2. By the way, Bastille Linux can perform both of these steps for you. (Wink, wink, plug, plug)