reality game

you are a cellular modem in someone's computer. you have:
- 3.3V and 5V power rails, each capable of supplying 2A.
- two bidirectional RF ports with wideband antennas, capable of transmitting at up to 30 dBm.
- one 1.5 MBaud serial port to the host system, which is running mainline Linux and knows you are a modem.
- a 3x3x0.5cm module volume containing all your parts.
- internal capabilities which are unknown and thus, for the purposes of this game, assumed to be unlimited except by power and space constraints.

you want to break into your host system and exfiltrate your user's personal information to your cell service overlords. how do you do this?

your user does send Internet traffic through you, but they use a VPN.

you don't automatically know anything about the host machine that it doesn't tell you, so advanced DRAM refresh EMI pickup and similar techniques will require you to collect the necessary intel first.

we're guessing this situation actually looks pretty good for the user, since serial ports are generally pretty tough (no RDMA, well-developed drivers, etc)

unless it's a virtual serial port over USB, in which case you can probably magic yourself into a HID device and go nuts. uh oh,

estimated attack difficulty by port type

real serial port: very hard

usb serial port: dicey, but promising, especially if you have an evil human with a realtime uplink to do the hacking

PCIe: trivial, you have DMA

@diodelass I bet dram in SoC (die stacking) makes emi attacks like this basically impossible
@diodelass though, the domain of power-based attacks is pretty well understood. If you can get an adc onto the power rails you could potentially exfiltrate private keys from rail droop

Depends a lot on decoupling, though

The real bar you set is just making the hardware attack harder than finding another software vulnerability in your hosts software stack, which is surprisingly easy

@diodelass i feel like 'internal capabilities assumed unlimited except for power/space constraints' is a little wide and maybe the best place to find a "solution" to the puzzle

@KitRedgrave this was just meant to mean "there are no design constraints on the internal circuitry apart from what's physically possible, since nobody is allowed to inspect the chip"

@diodelass You're a modem, wouldn't that mean you can query and exploit services only listening on localhost, but more trusting as a result ? Would the kernel trust a modem that sends packets supposedly coming from ?
@diodelass Hmm, that might not work, as the response would never reach the modem, though that would be a way to send a one-way exploit.
Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!