Blog: Internet Of Things

Can Linux really be owned by holding the Enter key?

Ken Munro 16 Nov 2016

ownI’ve just read that apparently, any attacker can compromise a Linux box by holding down the Enter key for 70 seconds, which gets a root initramfs shell. The full write-up from researchers Hector Marco and Ismael Ripoll is available here.

Maybe I missed something but this is sounding like non-news to me…. having physical access allows you to get a shell, all Linux admins know and use this.

They say you can decrypt the disks using this, but what they mean is that you have the tools to do so, not necessarily the keys, unless they’re kept insecurely on the initramfs, which is silly.‎ You could certainly destroy data on local storage devices.

Encrypted vs. non-encrypted

On a Linux encrypted disk you won’t get far in an initramfs environment in terms of getting to the data.

On a non-encrypted disk you‎ can get to the data, but you could also get to it without this trick. If the bootloader is unlocked (which it normally is) then getting a shell in the initramfs is a feature. Sometimes even if it isn’t locked this is offered as a rescue/recovery/debugging feature.

There are no protections around initramfs, no code signing, no expectation of integrity. It’s contents are kept in RAM and deleted when the OS starts off the main partition.

If the vector was instead the ability to implant something persistent on the initramfs which could somehow influence the OS once booted off an encrypted partition, that would have been extremely interesting.