This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over...
the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...
but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.
The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.
The motivation in the introduction is rooting/jailbreaking a handheld game console. I think this is a perfectly plausible situation where you have physical access but still want to obtain "unauthorized" access.
AFAIC, reflashing BIOS won't give you anything, you need to sign it first with proper private key which is checked by the CPU hardware before execution begins. This EMI trick fools CPU itself and I cannot see how it can be fixed, unless new paging algorithm is invented.
This specifically is trivially defeated by ECC, though it wouldn't be that much harder to instead flip 3 bits and ECC would be unable to help. ECC has very poor penetration outside the server world though, so we're still safe. For now.
I've thought a little bit more about this case and came to conclusion that to mitigate this attack paging agorimths can be improved by using redundancy and CRC checks with not too much overhead. Yet it takes a lot of work and investment, so it won't happen any time soon. Yes we are safe for now.
> I remembered that most of the physical access hacks would not be possible if the disk is encrypted..
Only if you have not booted into your system through using a keyfile or a passphrase to decrypt the data, i.e. if your PC is shut down. I have full disk encryption, and when I boot into my system, it uses the keyfile with which it would perform the decryption, and boom, I have my PC ready to be accessed physically.
but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.
The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.