No Security Without Physical Security

By Larry Seltzer  |  Posted 2003-03-13

No Security Without Physical Security

Very often well hear reports about a serious security vulnerability. We look into it, and theres a catch: In order to execute the attack, physical access to the computer is necessary.

You can safely ignore these alleged vulnerabilities: Without physical security, no system is secure.

If I can open the computer, I can remove the hard disk, put it in as the second drive in another computer and read the contents of the disk. Bye-bye, security. But its not usually necessary to open the box. I can boot the system off a floppy disk or CD-ROM and read the hard disk that way. Given such access, there are commercial and free tools available that can reset the Administrator password on the installation of Windows NT, Windows 2000 or Windows XP - gaining access to a Win9x system is even easier. (The existence of these tools is a good thing; administrators need to be able to access systems where the passwords are forgotten or changed for malicious purposes.)

But even thats not necessary; if you can boot off the floppy or CD, you can install a second copy of Windows on the hard disk and run that to analyze data on it.

This point is very important when considering whether attacks represent vulnerabilities in the computers operating system: If I boot the system off the floppy or CD-ROM, the operating system on the hard disk is not running. Its just a bunch of files.

Your only potential protection when physical security is breached is to use an encrypted file system, such as Windows 2000 Pro and Windows XP Pros EFS. (See this article on the SecurityFocus Web site for a good explanation of encrypting file systems.) No operating system (to my knowledge) employs such a file system by default.

The most recent such case of significance was an allegation by a famous writer that one could break into a Windows XP system by booting off a Windows 2000 CD and running the Recovery Console. The Recovery Console is a special console mode OS used to repair Windows 2000 and Windows XP. You run it by installing it to the hard disk and booting into it, or booting it directly off the Windows installation CD. See this Microsoft Knowledge Base article for a description of the Recovery Console, and this one for a description of the Windows XP Recovery Console.

Mountains Out of Security


Mountains Out of Security Molehills

This particular alleged vulnerability was always less than it seemed: The Recovery Console is a very restrictive environment. You cant access the network; you cant run programs; contrary to what the original report asserted, you cant copy files to or from the hard disk. The only real news was that the exploit did uncover some behavior that was unexpected; if you run the Windows 2000 Recovery Console on Windows 2000 or the Windows XP Recovery Console on Windows XP, it will ask you for a password. Perhaps the Windows 2000 Recovery Console cant read the local Windows XP SAM (the user information database) and, as the point of the Recovery Console is to let you repair damaged systems, it lets you in.

But any operating system is just as vulnerable. With any version of Linux or *BSD, I could boot off a floppy or CD and gain access to the contents of the hard disk. Solaris at least used to include a "single user mode" into which one could boot the system and access anything on the hard disk, including changing the passwords for normal boots.

There are other things you can do to add some extra measure of protection to a machine to which an attacker may get physical access. If you set the BIOS password, the user will have to enter it before any operating system is booted. This method isnt foolproof; some BIOS have hard-coded backdoor passwords (see this page for a list and further discussion of BIOS passwords), and the password doesnt prevent someone from pulling the hard disk from the system. There are physical locks you can buy that make it harder to open the case, but I think we all know that the right tools can dispense with any lock in short order.

So when considering the seriousness of an attack, its important to put it into perspective: What does this attack presume about access to the system? If it requires that the user have physical access, then the barn doors already open, and the horse is in the glue factory.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel