Aging Security Vulnerability Still Allows PC Takeover 282
Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."
The hard part is... (Score:3, Insightful)
(The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)
host memory! (Score:5, Insightful)
Re:The hard part is... (Score:2, Insightful)
Hmmm... what a coincidence, laptops are also exposed to strangers carrying computers of their own, too. I wonder if this might have implications regarding the severity of this particular weakness...
Re:The hard part is... (Score:5, Insightful)
Re:Breathtaking Arrogance or Stupidity? (Score:4, Insightful)
2 Year bug report.. (Score:2, Insightful)
Physical access (Score:3, Insightful)
-Nick
Comment removed (Score:5, Insightful)
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.
They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.
"If someone does plug into your port unexpectedly" (Score:4, Insightful)
"You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"
Re:Interesting, but (Score:3, Insightful)
Here's the thing though: this requires physical access. That makes it a low-salience attack, because gaining that kind of access is only an iota easier than pointing a gun at someone's head and demanding their password.
Re:Physical access (Score:3, Insightful)
That's certainly not true. To use one of a huge multitude of examples, students at my school had physical access to the machines in the computer lab, but it would definitely be a problem if they installed a keylogger to sniff other students' passwords.
Physical Security (Score:5, Insightful)
Re:host memory! (Score:4, Insightful)
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
Re:Physical access (Score:3, Insightful)
Yes this is all very "shocking." This is the slashdot equivalant of CNN playing that lock-pick video over and over again.
Re:Breathtaking Arrogance or Stupidity? (Score:4, Insightful)
Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.
'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'
Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)
This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.
Re:The hard part is... (Score:4, Insightful)
Wow? (Score:-1, Insightful)
Its a FireWire vulnerability, NOT a Windows vulnerability. On most hardware, there is nothing Windows can even do to prevent this attack. If your cheapo FireWire card allows other devices to directly issue DMA requests, then you're fucked and Microsoft can't do anything about it.
The solution is not to use FireWire, or to use a card which restricts access to memory regions approved by the device driver, or to somehow disable the FireWire card when you're not using it.
And as other posters have repeatedly mentioned, if the attacker has physical access to your box then you are in for a world of hurt anyway. This FireWire "feature" is the clearest example of that I have ever seen.
Comment removed (Score:4, Insightful)
Why doesn't MS disable the port on lock? (Score:4, Insightful)
I could do this... (Score:2, Insightful)
Re:Who cares? (Score:3, Insightful)
You're wrong on two counts.
One, this is an outlet for "news for nerds". As unfathomable as it might seem to you, there are nerds who are into Windows. Some even by choice.
Two, this is not a Windows vulnerability. It is a FireWire vulnerability -- actually, a FireWire design flaw. It is possible that the OS could be careful enough to prevent this kind of thing, but none of the current OSes are:
I honestly can't say about Syllable or FreeBSD, but I know that neither Linux nor OSX have fixed this issue. There is an unstable fix for Linux, but it breaks some hardware.
The recommended fix, in all cases, is to disable your FireWire port when you're not using it.
So does complaining about a story merely because it discusses a Windows vulnerability. Maybe not everyone saw this as an excuse to point and laugh at Microsoft? Maybe only you did?
Re:Physical access (Score:3, Insightful)
Sera
Re:Breathtaking Arrogance or Stupidity? (Score:2, Insightful)
Physical Control = Game Over (Score:3, Insightful)
There's dozens of other ways to compromise a PC (Windows or not) if you can sit down in front of it. Even if you don't have to reboot with this, or can sniff enough stuff to log in remotely later across the internet...
This is why the server room and racks are locked, it's really really hard to combat against someone who as physical access and a bit of time/knowledge to use to evil ends.
Sure, it's creative but come on...
Re:host memory! (Score:-1, Insightful)
Re:The hard part is... (Score:1, Insightful)
Alarm systems only detect, and then they only detect those stupid enough to be detected.
Posting anonymously to protect my career.
Re:Breathtaking Arrogance or Stupidity? (Score:3, Insightful)
Re:The hard part is... (Score:4, Insightful)
If they could access the firewire port via an internet connection, THEN I'd consider this a leak.
You could also tweak the system by opening the case and removing the hard drive, or just attaching a thumb drive and copying all the data.
Re:Breathtaking Arrogance or Stupidity? (Score:5, Insightful)
If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.
On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.
Re:Physical access (Score:3, Insightful)
The only saving grace is that someone must be physically present to plug in a device. This is still an issue though; imagine how many machines might be pseudo-public terminals, locked down (w/o epoxy in the firewire ports), but are so easily own-able, allowing people to install keyloggers?
Doesn't matter (Score:5, Insightful)
The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.