The CMOS battery often has nothing to do with BIOS settings, on many modern laptops it's stored in the BIOS flash memory, with no such reset sequence available.
If properly secured, physical hacking is not as easy as it used to be.
One does not even need to enable password protection of Grub. Linux will ask for the root password before granting access to recovery mode. That stopped working at the early 2000s. The author must use a pretty stupid distro to not notice it by 2013.
Anyway, want to gain access to the computer? Get a screwdriver.
Linux is a kernel. It runs the PID 1 process with root permissions. It doesn't ask for anything. The PID 1 process might, though. So it depends on userland. Then, you can parametrize the kernel with the "init=..." boot option and specify which PID 1 process you'd want. Indeed, the easiest way to get root access is to set that kernel parameter from boot loader - if it allows you to. Which about every default boot loader does. Just set it to a shell and be aware that userland might be a bit picky because you didn't set up a proper session yet.
If you have access to grub, you can edit the kernel command line and add init=/bin/sh. That will drop you in the initramfs, and you can mount the system's filesystems (assuming they're not encrypted of course).
Not sure what this article is trying to say. I can gain "root access" just by dismantling the hard drive and mounting it on a machine I own.
This is exactly why everybody should be using full-disk encryption. It is ridiculously easy to set it up both on OS X (with FileVault) and Linux (with a plethora of options), and even on Windows machines. There is absolutely no reason why not to do this.
This is a frighteningly effective hack, which once again underscores that if your attacker has physical access to the machine, you're hosed. I've seen this attack demonstrated live on Windows Server. It just uses DMA to search the memory and skip the subroutine that checks whether the password entered was valid.
Just put glue in the firewire connector, you say? Well, for instance most laptops that can be docked are firewire-accessible through the docking port. The firewire interface is also reachable through a USB adapter. So you'd have to glue the USB ports shut as well. (Impractical). Even if you do all this, most motherboards have the FireWire interface enabled on a PCI level, even if there are no physical PCI ports on the computer. So against this attack you'd be pretty much hosed regardless, unless you use a chipset that explicitly doesn't implement FireWire.
To prevent this attack, disable auto-loading of FireWire drivers within the OS. I believe one of the Linux driver stacks already does this & OS X protects itself when the machine is locked.
Also, FireWire over USB is repeatedly mentioned as not working.
You're in front of a Linux computer. You compile an exploit you read about on Slashdot, run the resulting executable, and voila!, you are dropped into a root shell. After a couple of seconds you realize that you have no ideas on what to do next. That's when it registers that you are not as "young" as you once were ...
If it has sensitive data on it, the Linux computer should be locked in a room. Physical access = ownership, every sysadmin knows that. Plan 9 terminals don't have passwords for user accounts, if you want access to privileged data you then have to authenticate with the dedicated authorization server. Linux is a 1960s OS, it boggles the mind people even still use it.
34 comments
[ 4.8 ms ] story [ 101 ms ] threadI probably own the machine. If the data on the storage is not encrypted, I own that too.
If I don't want to disassemble anything, I just plug in a liveUSB and it's all mine.
If the BIOS has USB/CD boot disabled? I pull the CMOS battery.
If that fails? The google probably knows the BIOS reset sequence for your board and soon so will I.
=======================================================================
Physical security is important too and FDE is not optional. [Even if you have nothing to hide]
If properly secured, physical hacking is not as easy as it used to be.
Anyway, want to gain access to the computer? Get a screwdriver.
That's true, but creating a root password in Ubuntu is child's play:
$ sudo passwd
(enter user password for sudo access to root privilege level)
(enter new password for root)
(re-enter new password for root)
Done.
> The default setup is to always require sudo to access root.
Yes, but this is a cosmetic distinction, not a basic one. Setting up a root password is always a few keystrokes away.
My point? Ubuntu isn't really different from other distros in this respect, it only appears to be.
This is exactly why everybody should be using full-disk encryption. It is ridiculously easy to set it up both on OS X (with FileVault) and Linux (with a plethora of options), and even on Windows machines. There is absolutely no reason why not to do this.
Edited.
Big-company encryption software cannot be trusted anymore. (If it ever could have been...)
Or did we need to get root access to the previous running OS? Be more specific in that case ;)
http://www.breaknenter.org/projects/inception/
Yes, that is actual working technology.
Just put glue in the firewire connector, you say? Well, for instance most laptops that can be docked are firewire-accessible through the docking port. The firewire interface is also reachable through a USB adapter. So you'd have to glue the USB ports shut as well. (Impractical). Even if you do all this, most motherboards have the FireWire interface enabled on a PCI level, even if there are no physical PCI ports on the computer. So against this attack you'd be pretty much hosed regardless, unless you use a chipset that explicitly doesn't implement FireWire.
Also, FireWire over USB is repeatedly mentioned as not working.
This is what we did to a number of machines at this year's SouthWest CCDC we were provided no login information for.