Stealing LUKS Keys via TPM and UUID Spoofing in 10 Minutes - BSides 2025

Transcript

1. Stealing LUKS Keys via TPM and UUID Spoofing in 10

   Minutes

2. 2 Who am I Nikita Gnilozub- Volobuev Senior Reverse Engineer

   of Banking Systems Security Research Department, PT SWARM

3. 3 Positive Technologies Web and desktop • Security assessment of

   online banking web applications • Vulnerability assessment of desktop applications (thick clients) ATMs and POS • Security assessment of ATMs (software, firmware, OS configuration, etc.) • Security assessment of POS terminals Mobile • Security assessment of mobile banking applications • Security assessment of APIs (mobile app–server communication) Dedicated 💵 banking 💵 team

4. 4 Users and their security

5. 5 Hardware Boot process 1. Boot UEFI Boot Process- UEFI

   CPU in Protected Mode UEFI Phases Initialize firmware Initialize low-level hardware Load and execute EFI drivers GPT / MBR Boot Loader Early OS Kernel Init Full OS Kernel Init User Mode Processes UEFI Services Decrypt disk Transfer control to OS Kernel services 2. Start bootloader 3. Boot system

6. 6 Bootloader – What is it? 1. EFI Boot stub

   2. GRUB 3. rEFInd 4. systemd-boot 5. Unified Kernel Image

7. 7 Trusted Platform Module (TPM) Firmware Code Option ROM Driver

   Firmware Configuration Option ROM Configuration Information Code Configuration Device Non-Host Firmware OS Kernel OS Loader UEFI Services (Boot, Runtime) Boot Variable Secure Boot Policy Embedded UEFI Drivers SMM BoardInit Firmware Support Pkg SMBIOS Table ACPI Table Microcode Platform Configuration Chassis Table of Devices GPT System Partition OS System Firmware Hardware PCR2 PCR2 PCR0 PCR0/2 PCR1/3 PCR3 PCR3 PCR4 PCR3+ PCR0 PCR0 PCR1 PCR0 PCR0 PCR1 PCR1 PCR1 PCR7 PCR1 PCR1 PCR1 PCR1 PCR5

8. 8 Trusted Platform Module (TPM) PCR Description PCR9 Initrd and

   EFI options PCR11 Unified kernel image PCR14 SHIM MokList PCR15 LUKS volume header

9. 9 Common setup PCR Description PCR0 Firmware version PCR7 SecureBoot

   state PCR9 Initrd hash and EFI Load Options PCR11 Unified kernel image hash PCR14 SHIM MOK list By default: 0, 7 Rarely: 9, 11, 14

10. 10 Stealing is possible?.. Five simple steps to steal 1.

    Dump partition 2. Dump LUKS header 3. Create fake evil partition with dumper header of original LUKS partition 4. Replace original partition with our fake evil partition 5. Boot!

11. 11 Real protection Just use PCR15 Or you can use

    TPM-access password

12. 12 Proof of Concept

13. 13 Proof of Concept

14. 14 Proof of Concept

15. 15 Proof of Concept

16. 16 Conclusion Every system need carefully man read :)