Aging Security Vulnerability Still Allows PC Takeover 282
Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."
Re:host memory! (Score:4, Interesting)
Actually, what do I know? But I do believe that Firewire doesn't have the concept of host and slave nodes. All nodes on a Firewire network are equivalent AFAIK.
If it were necessary to explictly allow direct memory access on a node whenever it was requested, you would not be able to plug a Firewire cable into a control-less box (for example) and do things with it, without first accessing the control-less box through a non-Firewire method to enable Firewire DMA.
Anyway, that's my ignorance on the subject. And as Adam Boileau says, it is a Feature, not a Bug. It is intended behaviour, so there must be a good reason (even if it is not the above).
Up to a point. (Score:3, Interesting)
A lot of workplaces will have physically secured machines but nonetheless with ports open. People might notice if you remove a server from a rack to access its insides, but just plugging in a cable?
Yes offcourse, not that many machines have firewire and servers are even rarer (although my pc has a port) but still, there is a major difference between the access needed to open a PC and gets its HD and just plugging in a cable.
See it as the difference between having to steal secret documents and being able to copy them at the spot.
If this tools indeed works in seconds then that is a lot faster then opening up a PC, taking out its HD, installing it in another machine, breaking its security, reading the contents you want (which at this point would give you only the contents on the HD, not the network), re-installing it and closing the cover and removing every trace of your access.
A lot of security is about inconvenience. Safes ain't rated for being unbreakable, but how long it takes to open them. ANY safe can be opened, the trick is making the process take so long that it can not be done without being found out. Thanks to MS, breaking its security has just become a lot more convenient.
Re:Breathtaking Arrogance or Stupidity? (Score:5, Interesting)
Re:Also affects OS X and linux (Score:3, Interesting)
Not to say it should not be patched in all systems, but surely this would have had to be written into the driver deliberately for it to work, so the real question is why firewire requires direct access to the system memory (and potentially passes this onto the external device) when USB does not?
Re:host memory! (Score:5, Interesting)
Probably for lower overhead (Score:5, Interesting)
Well, if Firewire has the same capability, it would explain why it is much lower overhead than USB, but it would also allow for things like this.
In general, DMA is probably something that needs to be looked at being cleaned up/reworked. It is a non-trivial cause of system instability: Hardware goes nuts (or maybe driver orders hardware to so something stupid), craps on memory it shouldn't system goes down. However anything like that is going to take a back seat to performance, at least in regular PCs. As nice as it would be to have the CPU fully in charge of everything, people aren't going to put up with it if it means a 10x drop in performance.
Re:Physical access (Score:5, Interesting)
In case of most of hardware with mid-to-high physical security you need some 15 minutes of totally unsupervised access, it involves removing the case (to reset the BIOS password), rebooting the system (sometimes by power cycling) and generally implies very dirty and easy to detect hack - you do gain the access but you're not stealthy at it.
You plug the inconspicuous cable in the side/back of the PC, stash the laptop under the desk, and walk away whistling quietly. Then you sit down, access your laptop from another one through wi-fi then proceed to download contents of the compromised box, over the firewire cable.
Re:Done previously (Score:2, Interesting)
Re:Yes, yes, another anti-windows story (Score:3, Interesting)
Adding a firmware password to my PPC Macs puts them into a heightened security mode that turns off Firewire DMA (and was tested specifically with the hack you referenced). I would expect the Intel units to have this feature also. And the new Linux firewire driver [kerneltrap.org] tackles the DMA vulnerability issue too.
What I've read on the subject so far indicates that most or all Firewire chipsets allow operation without DMA, and that it is possible to secure the DMA modes by programming the memory controller to restrict access to specific buffers
FWIW, Apple was similarly "cagey" (actually silent) on the issue, but at least gave us the ability to secure the port through openfirmware.
What I would worry about more are the DMA interfaces that no one is discussing re: security... PCMCIA/PCCard and other hot-swappable ports (PCI-X? eSATA?) that support bus mastering. I'm pretty sure that non-USB-implemented CF slots are a risk.