Actions

Protection Against Physical Attacks

Introduction[edit]

Physical attacks require adversaries to have direct access to a user's computer and cannot be conducted remotely. This section should be read in conjunction with the Full Disk Encryption and Encrypted Images entry.

BIOS Password[edit]


The Basic Input/Output System (BIOS) is non-volatile firmware which performs hardware initialization during the computer's booting process after it is powered on. It also provides runtime services for operating systems and progams. BIOS in modern PCs initialize and test system hardware components, as well as loading a boot loader or operating system from a mass memory device. The Unified Extensible Firmware Interface (UEFI) is the successor to BIOS that was released in 2011. [1]

All local settings are stored in BIOS, including power options, boot options and memory information. The BIOS menu allows the user to set and change a boot password for the computer upon startup. An administrator password can also be set to prevent others from changing BIOS settings. To set a BIOS boot password: [2] [3]

  • Turn on / restart the computer.
  • Press the relevant key to access the BIOS menu. It is usually one of: Del, Esc, F2, F10, or F12.
  • Navigate to the Security or Password section using the arrow keys.
  • Search for an entry named "Password on boot" or similar.
  • Enter the new, strong password.
  • Save the changes made to BIOS settings. On most PCs, this is done by pressing Esc or F10 -> Save and Exit. Check the bottom of the BIOS screen to be sure.
  • Reboot the computer and confirm a password prompt now appears.

For greater security, a password should be set to access the BIOS menu itself. Search the Security or Password BIOS menu for "Set supervisor password", "User password", "System password", or something similar. [4] Also, users may prefer to configure BIOS to only allow booting from HDD/SSD so the computer cannot be booted from CD-ROM or USB flash drives.

It should be noted that there are numerous methods of bypassing, removing or resetting BIOS passwords, so this method will only prevent casual attempts to gain access.

Cold Boot Attacks[edit]


Modern computer architecture poses a significant risk to Whonix users. Adversaries with physical access to a computer running Whonix may be able to recover all session activities, even if FDE is enabled.

Even when a computer is powered off, the data in RAM does not immediately disappear. Depending on the circumstances, data can survive for up to several minutes. For example, this occurs when a computer loses power abruptly and does not go through the normal shutdown cycle. [6] If an adversary has immediate physical access to a computer, a cold boot attack can be mounted.

Forensic experts have two main methods of extracting data from RAM: [7]

  • The running computer is cold-booted and a lightweight operating system is booted from a removable disk. A tool is used to dump pre-boot physical memory contents to a file.
  • The memory modules are quickly removed from the original system and placed in another computer under the adversary's control. The machine is then booted to access the memory contents.

In both cases, the RAM contents can be analyzed in a computer forensics laboratory. Depending on what is found, the user may be in serious peril. Notably, cold boot attacks have proven effective against Trusted Platform Modules (TPMs), as well as full disk encryption regardless of the vendor or operating system. For certain memory modules, the time window for an attack can be extended to several hours by cooling them with a refrigerant. [8]

Cold boot attacks are thought to be a very uncommon method of recovering data, but high-risk users should be prepared for such a contingency to stay on the safe side. So long as a cold boot attack is not mounted directly after shutdown, then contents of RAM should be emptied within minutes. [9]

Preventative Measures[edit]

Whonix does not yet provide an analogous feature to Tails, which wipes RAM on shutdown by overwriting it with random data. Possible interim solutions include:

Cold boot attacks are a clear and present danger for high-risk users due to the limited countermeasures available. In the purely hypothetical situation where an adversary is knocking earnestly on the door, safest would be pressing the panic button on the host, leading to the contents of RAM being quickly wiped. Failing that, the computer should be immediately shut down, and access to the computer delayed as long as possible.

Evil Maid Attack[edit]

For a description of this attack, see here.

If the user has a TPM chip, anti-evil maid measures are available for:

Problematic Interfaces[edit]

There are a number of computer interfaces that pose the risk of a direct memory access (DMA) attack. Potentially exploitable interfaces include ExpressCard, PCMCIA, FireWire, PCI, PCI Express or Thunderbolt.


In practice, attached devices are permitted to read and write directly to memory, often without supervision of the operating system. This is in contrast to user-mode applications that are usually prevented from accessing memory locations that are not explicitly authorized by virtual memory controllers. [15]

A successful DMA attack on an unattended, live computer allows the adversary to: [16] [17] [18] [19]

  • Access sensitive cryptographic material in memory.
  • Circumvent FDE.
  • Inject executable code.
  • Partially or fully read the memory address space.
  • Read documents, files or other digital traces present in memory.
  • Take control of the entire system, for example via the network.
  • Unlock screensavers without a passphrase.

DMA attack software tools which mimic the abilities of state-level adversaries are even available on GitHub! [20] Mitigating the threat of a DMA attack requires mostly physical security countermeasures; it is recommended to:

  • Consider blocking or removing them completely.
  • Disable them in BIOS or UEFI.
  • Never allow unknown and potentially malicious devices to be inserted into these ports. [21]
  • Securely configure these interfaces.
  • Use IOMMU technology where available and software which supports it, like Qubes. [22]
  • Use Linux kernel options to disable DMA by Firewire devices.

Screen Lock[edit]


Locking the screen on the host prevents others from viewing or using the device. It is advisable to set the screen to lock after a certain period of inactivity, and a strong password is recommended.

To manually lock the screen: [23] [24]

  • Windows:
    • Open Start Menu -> Click User Icon -> Select Lock; or
    • Ctrl + Alt + Del -> Select Lock; or
    • Windows key + L.
  • macOS:
    • Apple menu button -> Lock Screen; or
    • CMD + Ctrl + Q. [25]
  • Linux:
    • Menu panel -> Lock Screen.
    • Shortcuts are specific to the desktop environment in use, for example, GNOME, KDE, Xfce and so on.

Side Channel Attacks[edit]


Side-channel attacks are made possible by physical effects caused by cryptosystem operations (on the side) which provide extra information about system secrets like cryptographic keys, state information, or full/partial plaintexts. Wikipedia defines side-channel attacks as: [26]

...any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.

Side-channels emerge because computation takes place on a non-ideal system, composed of transistors, wires, power supplies, memory, and peripherals. Component characteristics vary with the instructions and data that are processed, allowing measurable variance to be used by attackers. [27]

The main side-channel attack classes are: [28]

  • Acoustic cryptanalysis: Sound produced during computation is used for attacks.
  • Cache attacks: Attackers monitor cache accesses made by the user in shared physical systems like virtualized environments or cloud services.
  • Data remanence: Sensitive data are read after supposedly being deleted.
  • Differential fault analysis: Secrets are discovered by introducing faults in a computation.
  • Electromagnetic attacks: Leaked electromagnetic radiation allows attacks that can provide plaintexts and other information. Cryptographic keys can be inferred via this method; for example, see TEMPEST.
  • Optical: Secrets and sensitive data are read by visual recordings with a high resolution camera, or other devices.
  • Power-monitoring attacks: Attacks use measurements of varying hardware power consumption during computation.
  • Software-initiated fault attacks: Row hammer is an example of this attack, whereby off-limits memory is changed by rapidly accessing adjacent memory, leading to state retention loss.
  • Timing attacks: Attacks are based on measuring how long various computations take to perform, such as the attacker's password compared to the user's unknown one.


While Whonix has some limited countermeasures to side-channel attacks, in general it cannot provide protection against most classes, nor hardware keyloggers, TEMPEST, miniature cameras and so on. Full disk encryption is also helpless against these attacks.

For further reading on this complex topic, see here, here and here.

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/BIOS
  2. https://www.techwalla.com/articles/how-to-change-the-administrator-password-in-bios
  3. http://www.intowindows.com/how-to-set-bios-or-uefi-password-in-windows-10/
  4. If the system has both a supervisor password and a user password, then set passwords for both.
  5. https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html
  6. https://darkwebnews.com/security-guide/cold-boot-attacks-unencrypted-ram-extraction/
  7. https://en.wikipedia.org/wiki/Cold_boot_attack
  8. https://en.wikipedia.org/wiki/Cold_boot_attack
  9. https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html
  10. Unfortunately, an upstream script does not yet exist to implement this feature, so Whonix is currently unable to provide a solution for this attack.
  11. Tails and Liberte Linux have partially solved this problem.
  12. Instead of waiting for an upstream solution, see the Dev#Wipe RAM panic script. The user would need to implement a panic button which will wipe RAM. Please contribute by coding this feature.
  13. https://en.wikipedia.org/wiki/Cold_boot_attack#Register-based_key_storage
  14. By installing the anti-evil-maid package in dom0 and following the configuration steps.
  15. https://en.wikipedia.org/wiki/DMA_attack
  16. http://louwrentius.com/firewire-the-forgotten-security-risk.html
  17. https://en.wikipedia.org/wiki/DMA_attack
  18. https://privatecore.com/resources-overview/physical-memory-attacks/index.html
  19. http://www.delaat.net/rp/2011-2012/p14/report.pdf
  20. This is not an endorsement for the use of hacking tools.
  21. This is another reason why high-risk users should never leave their devices unattended.
  22. IOMMU maps device-visible virtual addresses to physical addresses. The security benefit is that operating systems that are run in guest virtualized machines -- AppVMs in Qubes -- do not know the physical memory addresses on the host that are being accessed. This makes DMA attacks very difficult and can lead to memory corruption if attempted.
  23. https://www.isunshare.com/windows-10/3-ways-to-lock-windows-10-computer.html
  24. https://swissmacuser.ch/new-lock-screen-feature-in-macos-high-sierra/
  25. Some macOS systems instead use Ctrl + Shift + Power button OR Ctrl + Shift + Eject key.
  26. https://en.wikipedia.org/wiki/Side-channel_attack
  27. http://rootlabs.com/articles/IEEE_SideChannelAttacks.pdf
  28. https://en.wikipedia.org/wiki/Side-channel_attack

License[edit]

Whonix Protection Against Physical Attacks wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Protection Against Physical Attacks wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


Random News:

We are looking for maintainers and developers.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)