February 22, 2012

Verification of claims made in Security Domination via Hard Drive Isolation!

Since late 2009, I've been on a roadshow called Security Domination via Hard Drive Isolation, discussing the emerging Desktop-on-a-stick, PC-in-your-pocket and other USB-based mobility and security approaches.  The niche emerged before the iThings craze really came to a full roar and is still today actively pursued as a valid approach for many use cases, including secure telework and remote access, disaster recovery and more.

There are several players in the USB hardware space that claim high-security encryption, some with a FIPS 140-2 level 3 validation from NIST.  I would generally trust these USB sticks to carry files around, as a sort of secure briefcase, from one trusted machine to another, or as a backup media that's pre-encrypted. 

Once the vendors in question start making claims that move past the secure briefcase use case, I start getting a bit concerned as to the nature of security they can provide. 

There are two schools of thought in this niche: Bootable (boot to a clean OS) vs. Bubble.  The bubble variety (by far the most common) is inherently less secure than the bootable for defeating software malware, since the bubble relies on various mechanisms that claim to defeat malware on the spinning disk of the host OS on the host machine (usually Windows).  In my mind, this is a losing proposition, considering the sophistication of the malware we're seeing out there and the pace of evolution that the 'authors' have demonstrated. 

While I've always been in awe of some of the mil-spec sticks' resistance to physical destruction, there are some claims that they make regarding the security of their extended product lines that I've challenged in the Security Domination talk.  I specifically called out the issue of untrusted host OS keystroke-logging and screenshot-grabbing (yes, that's a term..) as a problem in the bubble space.  Furthermore, I called out the inevitable destruction of the claim that the virtual (on-screen) keyboard was a solution to the problem.

Turns out that sick, er, great minds think alike!  I just found this youtube video from April 2010 that challenges the virtual keyboard security claims via a demonstration of keystroke logging of USB key unlock passwords, including input from the virtual (on-screen) keyboard. 

Here you go, virtual keyboard security is not as secure as we'd like it to be.


This type of malware is (to be uncharacteristically mild) problematic for the high-security USB vendors who claim to solve several malware-related security problems without booting to a clean OS. 

Not to put too fine a point on it, please understand this:  If you're inserting a USB key into a USB port on an untrusted machine and you're not booting into a clean alternative OS, but rather piggybacking onto the untrusted, pre-pwned OS on the host machine... well then, you're putting the unlock password (and any other work you perform from the USB key's virtual OS) at risk from software keystroke loggers and screenshot grabbers, etc.  

PS Hardware keystroke loggers are a related but different issue and are not in the scope of this discussion.

No comments: