Talk Title: Stolen Laptops - From physical access to internal networks :: A brief overview of modern physical access attacks against UEFI, PCI Express, BitLocker and more!

Talk Abstract:
Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee's hands. For an attacker, what's not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Trust me, encryption at rest is not the all encompassing shield it was once made out to be. With the evolving security landscape and ever-changing tactics of adversaries, it is absolutely critical to perform regular threat emulation in order to test countermeasures against these attack vectors.

This talk will showcase methodologies used by our offensive security teams to penetrate well-hardened laptops during these types of engagements. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the potential risk, we will discuss real attack vectors, with examples and video demos. No Credentials? No problem. We push the envelope to the limit of what can be realistically expected of next-generation adversaries.

We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attacks circumvent these protection mechanisms. We will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.

Finally, we will talk about encryption at rest, specifically BitLocker, TPMs, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! The talk will touch upon the expertise that Bell Canada STIRT team brings to adversary emulation services in general, and showcase some R&D that has arisen due to our involvement in this space. We will discuss open source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.