27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Speakers
Ralf-Philipp Weinmann
Schedule
Day Day 2 - 2010-12-28
Room Saal 3
Start time 23:00
Duration 01:00
Info
ID 4174
Event type Lecture
Track Hacking
Language used for presentation English
Feedback

The Hidden Nemesis

Backdooring Embedded Controllers

Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you:

Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN!

I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.