On the Feasibility of Data Exfiltration with Storage-Device Backdoors (updated version: September 6, 2011)

Hardware backdoors are a substantial threat to today's information systems: they can evade today's malware detection mechanisms and survive software updates. Moreover, they are an increasingly likely threat because of extensive outsourcing of hardware manufacturing. While the feasibility of implementing backdoors in CPUs, PCI devices, and network components has been studied before, this paper investigates a new type of threat: a backdoor that leverages storage devices. We show that a remote attacker can exfiltrate data from a storage device in the absence of a direct communication channel and without a priori knowledge of the various layers (OS, applications, filesystem) between the attacker and the device. We implement such a backdoor to demonstrate the real-world feasibility of attacks. Our experiments show that /etc/passwd of a standard Ubuntu/Apache/PHP/MySQL installation can be remotely exfiltrated in 40 seconds. Consequently, we conclude that this attack vector should not be overlooked when assessing a system's security, and we discuss, e.g., encrypting data at rest to thwart such attacks.

For information regarding this Research Report, please contact publications@zurich.ibm.com

By: Anil Kurmus, Moitrayee Gupta, Ioannis Koltsidas, Erik-Oliver Blass

Published in: RZ3806 in 2011

This Research Report is not available electronically. Please request a copy from the contact listed below. IBM employees should contact ITIRC for a copy.

Questions about this service can be mailed to reports@us.ibm.com .