Boot from CD/USB etc risks

Discussion in 'other security issues & news' started by CloneRanger, Jan 25, 2012.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Jan 4, 2006
    A number of people surf using for eg, Live CD's & similar. In order to do this their BIOS has to be configured to allow such Boot actions.

    It occurred to me that, it "might" open up the possibility of leaving your comp wide open to attacks, from someone using those vectors with Boot Tools etc.

    What are thoughts about it, & how to prevent ?
  2. kareldjag

    kareldjag Registered Member

    Nov 13, 2004

    The main question is the persistence of the possible risks and threats.
    Of course, with a LIVE CD you're still vulnerable to all kinds of client/server side attacks that could occur during a session: web application (XSS and variants) and network (SSL MITM, DDOS, PDDOS, sniffing, wireless cracking etc).
    And i do not talk about electromagnetic (TEMPEST) and acoustic emanations of screen and keyboards, and computer espionage via social engineering (hardware keylogguer plugged by a pc repairer technician, or zoom camera on your screen from on another flat etc).

    Now for the risk of malware infection, rootkit for instance, there is possible attacks on Bios and firmwares, especially during an update.
    The subject is already documented for all kinds of firmwares, BIOS, Network Cards, printers, motherboard...
    A recent example of a network card rootkit by a French team:

    But protection needs firstly to be statistically considered.
    And from my point of view, the most probable risk concerns mounted devices.
    In fact, when we surf via a LIVE CD which is a read only system, the main problem and challenge for the attacker or malware author is to make the threat/malware PERSISTENT.
    In this case, any mounted/plugged or connected device is enough with a simple autorun.
    That's why it's necessary to take care of that potential infection vector by a read only policy of all devices (not always enough) and better, to never connect any device during a session (no possible download storage).
    And it's difficult to circumscribe the subject in a few lines and minutes, but as i said INSECURITY must be considered first by threats that could occur in an industrial way, not in a laboratory way.
    So LIVE CD with vpn connection and no connected device is statistically sure.

  3. J_L

    J_L Registered Member

    Nov 6, 2009
    Flash the BIOS. As for other hardware firmware, that'll be harder to reset.
  4. emmjay

    emmjay Registered Member

    Jan 26, 2010
    I use PuppyLinux from a USB flash drive as everything I use is loaded into RAM. All my PC devices (HDD etc) remain unmounted. I specifically chose Puppy as I travel a lot and use hotspot WiFi. I assumed that this would allow me to do what I needed to do while providing more security than I would get from using W7.

    When using Puppy I do not know if my system is open to rootkits/bootkits. I guess with the right tools a criminal could get to the physical layer and plant something vicious there ... I do not know. I am also not sure if they can load something onto the flash drive when I am using it. After all it is mounted for the session. It would be nice to know.
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Jan 2, 2008
    I have experienced running a Live CD and things writing to an empty/recently wiped but connected HDD. Kind of spooky to when it happens. Most times, with Live CD and nothing attached, they just dance in your memory looking for storage media. cnIInn
  6. x942

    x942 Guest

    1) Bios Password
    2) HDD lock (can't be bypassed without a VERY expensive device ($7000 last I checked).
    3) Don't enable booting from USB; Enable the "boot choice" menu. On mine it's F12. This allows you to select what to boot from but can't be accessed with out the HDD Lock password. The normal "boot from USB first" method doesn't require the HDD Lock password to be entered.

    That's what I do. I also use FDE and store the /boot partition and MBR on a flash drive so I don't have to worry as much if someone does manage to boot. They can't Evil Maid me as the MBR isn't there anyways. (I also check it every boot with a SHA256 bit hash against one the hash of the known good MBR (on good ol'paper).
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.