Another commenter mentioned DMA, so I'll expand on that.
If the device has only USB, network, and display outputs, not a lot. Modern systems are pretty hardened with this config.
However, if it has Thunderbolt, ExpressCard, PCMCIA, or even FireWire, it's hosed.
This kind of attack has been highly researched by intelligence, for example the 'Sonic Screwdriver' attack revealed in 2017 [1] targeted Macs by tampering with boot parameters, and was installed over thunderbolt.
There have also been some PoC exploits for extracting BitLocker encryption keys out of memory using FireWire [2], though I'm not sure those have ever been widespread attack vectors.
Basically, the old adage still holds up - physical access is full access. The only thing you can really do is fill up any ports that could be used for DMA sidechannel attacks with epoxy, then hope nobody attacks your TCP stack or USB controller...
There's some lienience to be given with the newer versions of Thunderbolt. On many Windows machines, and given that it's configured correctly, a TB device has to be explicitly allowed to access anything other than USB and Display modes.
If the device has only USB, network, and display outputs, not a lot. Modern systems are pretty hardened with this config.
However, if it has Thunderbolt, ExpressCard, PCMCIA, or even FireWire, it's hosed.
This kind of attack has been highly researched by intelligence, for example the 'Sonic Screwdriver' attack revealed in 2017 [1] targeted Macs by tampering with boot parameters, and was installed over thunderbolt.
There have also been some PoC exploits for extracting BitLocker encryption keys out of memory using FireWire [2], though I'm not sure those have ever been widespread attack vectors.
Basically, the old adage still holds up - physical access is full access. The only thing you can really do is fill up any ports that could be used for DMA sidechannel attacks with epoxy, then hope nobody attacks your TCP stack or USB controller...
---
[1] https://arstechnica.com/information-technology/2017/03/new-w...
[2] https://support.microsoft.com/en-ca/help/2516445/blocking-th...