a blog about things that I've been thinking hard about

Ten Ways LiveCD Security Could Fail

19 October, 2007
for the truly paranoid online banking customer

Doing internet banking on a computer booted from a CD should be pretty secure.

But, no security system is foolproof.

There are at least nine ways it could go wrong.


Background: Booting from a LiveCD to do Secure Internet Banking

As I have written elsewhere, using a LiveCD is currently the simplest and most robust way of doing Internet banking securely.

In this article I listed some of the things that need to be done to make LiveCD Internet banking as easy as possible for as many Internet users as possible.

Even though using a LiveCD is way better than the "mainstream" bank-recommended alternative (i.e. do Internet banking just like all your other web surfing while remembering to "be careful"), no security system is foolproof. So I have decided to find all the ways I can think of that LiveCD security coutld fail.

I'll see if I can get to ten. Some of the following items may not necessarily be actual security holes – they just reflect my inability to be sure that they are not security holes.

Just to recap, here is the required procedure to do Internet banking securely with a LiveCD:

For the purpose of explaining some of the items in the following list, I will make the pessimistic assumption that there is a nasty virus installed on the hard disk of the your computer which is controlled by criminals who have the explicit intention of stealing money from your bank account.

And to avoid making it too easy to get to ten, I am considering security holes caused by corruption of external systems, whether it be your ISP, your bank, or the website you downloaded a LiveCD image from.

The List of Ten Ways

1 Not using the LiveCD This is like the number one cause of condom "failure", which is not bothering to use the condom at all. In other words, you set up the LiveCD, you worked out how to use it to do your Internet banking, and then when the time came, you were in a hurry and you couldn't be bothered to go through the procedure of rebooting, waiting for startup, doing the banking and then rebooting again. So you just did your Internet banking from a browser running inside Windows.

2 Malware in the LiveCD The easiest way to make a LiveCD is to download an ISO image from the Internet, burn it to a CD and then try it out. If malware is on the system you are using to do the downloading and the burning, then the malware might be able to insert a copy of itself into the downloaded image or onto the recorded CD.

3 Using the wrong password, especially with separate read-only/write logins One way to make Internet banking more secure without always having to do the reboot procedure is to have a second login with limited privileges, for example able to read account history and do intra-account transfers only. But this means you then have two passwords, so you have to make sure that the password for the privileged account is never entered into the system during normal web surfing.

4 The computer fakes a reboot There is a bit of a "race" condition when you switch the computer on and you have to insert the CD before the normal boot process starts. Extra nasty malware might be able to detect right at the beginning of the boot process that you have a CD inserted, in which case it could then pretend to do a direct boot from CD, but actually do a corrupted version of the CD boot process.

5 The computer fakes a shutdown Depending on how you shut the computer down, malware might hijack this process and just pretend to shut down. Then when you insert the LiveCD and restart, the fake shutdown computer can pretend to reboot from the CD.

6 Malware in the BIOS The security of booting from a LiveCD does depend on the integrity of the computer's hardware and "firmware". The more paranoid among us may suspect that, in making it as easy as possible for users to re-flash their BIOSes, the manufacturers of computer systems have left us vulnerable to viruses that want to do their own nefarious re-flashing.

7 The LiveCD gets written to when inserted into the computer at the wrong time You might assume that once a CD has been recorded and "closed", it is effectively read-only. But is this absolutely true? How much of the logic of sesssions and disks being "closed" is controlled by hardware and how much is controlled by software? Is it possible for a recorded disk to be re-recorded in enough places to give it a different functional boot image? In following the LiveCD reboot procedure, you might insert the LiveCD into the CD drive before the current OS has been shutdown. If there is some way to write or alter a "closed" disk, this would give installed malware the chance to do so.

8 Your router gets corrupted Many of us have a home network with at least one router in it. Typically you administer a router by logging into it from a PC via a web interface. So your router is at the mercy of any malware installed on you PC. If your Internet banking is not properly protected from "man-in-the-middle" attacks (i.e. with HTTPS and digital certificates), you could be in trouble.

9 Linux swap partitions Often Linux LiveCDs are preconfigured to use an available swap partition if one is available. If your banking login password gets written to memory which is then swapped out, it will be sitting there ready for the malware to read it next time you boot off the hard disk.

10 ? Sorry, I ran out of ideas. Any and all suggestions are welcome.

Vote for or comment on this article on Reddit or Hacker News ...