Since 2006 when Adam Boileau released his research on exploiting machines using Firewire, we have had fun unlocking locked computers and imaging RAM from the same. With the release of Thunderbolt (TB) I wondered if the same issues surrounding Direct Memory Access (DMA) exists with that implementation. Turns out it does. The interesting thing about this is that allowing DMA provides much of the cool functionality that TB provides however this also provides an attack vector for physical access in the same way as Firewire. As this is due to an implementation in the hardware layer the OS remains blissfully unaware of whats going on.
Reading a blog on the subject this week there were many comments about it being a lame duck attack as physical access is needed, however, many in our community know that gaining access to a machine is often possible.
If a computer is dead then file level access is simple, however a Windows or Mac that is booted but password locked has always been a problem, however with TB now appearing on all Macs this could be rather a useful technique. It is notable that Lion appears to turn off DMA in certain circumstances but more work needs to be done to understand this fully.
Enter 'Inception', a very nice proof of concept tool from the Break n Enter blog. Some work has been done in this area and it seems to work pretty well in certain situations. I won't bother re-blogging everything, but I strongly recommend reading the page I linked to above and also the video which shows the extraction of RAM and the pwning of the FileVault password (loving the music too). Big shout out to them for the tool and the work.
I'll try and spend some time on this in the next few weeks and let you know how I get on.
CyberSpeak Aug 31 2015 - SRUM
10 months ago