Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bootkit Bypasses TrueCrypt Encryption

Posted by timothy on from the war-of-attrition dept.

mattOzan writes with this excerpt from H-online: "At Black Hat USA 2009, Austrian IT security specialist Peter Kleissner presented a bootkit called Stoned which is capable of bypassing the TrueCrypt partition and system encryption. The bootkit uses a 'double forward' to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt."

7 of 192 comments (clear)

  1. Uh, what? by Cthefuture · · Score: 4, Interesting

    So yeah, if someone is running live software on your machine then there isn't much you can do. If there is decrypted data then it's essentially available to anything on the machine.

    I mean if you're going to do this you could just modify the TrueCrypt code (bootloader in this case) itself to do what you want.

    Kind of "duh" story if you ask me.

    --
    The ratio of people to cake is too big
  2. Much as we hate TPM here on /. by Wrath0fb0b · · Score: 5, Interesting

    TFA has a very good point -- unless you (cryptographically) trust the components of your system all the way down to the hardware itself, you can get pwned by an attack like this. You can regularly do all-the-way-to-the-firmware scrubs of your machine as damage-control, but the only real prophylactic is some form of trusted computing.

    Of course, I'm not really dying to jump on the TPM bandwagon, given the sponsors, but it sure would be nice if there was an openly-audited trusted computing module.

    1. Re:Much as we hate TPM here on /. by mlts · · Score: 4, Interesting

      The tools are there (tboot, TrouSers). What is missing is a gestalt "stack", where an admin can configure a distro to "seal" the hash of various parts of the boot process in the TPM (MBR, boot sector, BIOS, kernel, RAMdisk image), then encrypt the rest of the machine. Then, at boot, it would boot to the ramdisk filesystem, ask the TPM for the key, and if the image has not been tampered with, the TPM will hand the key over, and the boot process continues.

      One thing that isn't discussed (which is important) is a facility for recovering the encrypted data should the TPM be off or erased. BitLocker handles this fairly gracefully by saving a keyfile to a USB flash drive, or allowing the user to print out a sequence of numbers with the recovery key. BitLocker also allows saving of the recovery key to Active Directory, ensuring that corporate IT has recovery access (which is required by law in a number of cases). Finally, for home users, BitLocker allows use of offsite storage for the recovery information.

      Another option to implement a means of recovery is to have a recovery passphrase. PGP is a product that allows this, where one can boot from a TPM, but if that is unavailable, one can type in a previously set passphrase, or a WDRT (whole disk recovery token, which is a challenge/response system).

      This functionality will have to be implemented distribution by distribution, as there isn't a standardized set of tools. Perhaps one thing that should be designed would be a standard for implementation across distros.

  3. Re:Just when I though I was safe.... by sumdumass · · Score: 4, Interesting

    I'm not so sure a mac is the answer. With a mac, you can just install the code in the keyboard and grab the keys directly.

  4. Re:Do I need to prepare? by khayman80 · · Score: 5, Interesting

    You're absolutely right. Strangely, none of those links led to Peter Kleissner's web page.

    Check out the comments. Some of the visitors are flaming him pretty hard, but he's just a kid with amazing skills and (understandably) very little historical knowledge. Luckily, Christian politely points out that his attack serves to "... alert many people who think they made their PC secure by installing TrueCrypt and still keep working with an admin account where they should not. You prove that a security policy is indispensable, because admin privileges will give malicious software the ability to tamper with the installed security software."

  5. Re:Do I need to prepare? by buchner.johannes · · Score: 4, Interesting

    This exploit really is more comparable to a software keylogger. It lies between OS and Truecrypt Bootloader, catching the disk access requests.
    For infection, you need admin rights on the running machine (TFA says so).

    So, with the full system encryption, you are of course safe. This is just a way of listening to Truecrypt requests.

    Kudos to Peter, hope to meet him in the Metalab sometime.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  6. Re:Do I need to prepare? by ehrichweiss · · Score: 4, Interesting

    Encryption is to prevent your data from escaping if someone stole your laptop. It however will NOT prevent the thief from installing a keylogger(which is what TFA is basically describing) which can then be used to discover your passphrase and eventually gain access to the system.

    If you lose a laptop and then recover it, you can be fairly certain that your data was never leaked but you cannot be certain that someone didn't tamper with your system so they could steal the data later. At that point the best you could do would be mount the volume on a completely different system and move any data you hadn't already backed up, then wipe the drive/bios fully..though after yesterday's article about the BIOS "rootkit" that is Computrace, I'd be wary of the hardware at that point.

    --
    0x09F911029D74E35BD84156C5635688C0