Aging Security Vulnerability Still Allows PC Takeover

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

Re:host memory!

[iangoldby]

Because it is not USB.

Actually, what do I know? But I do believe that Firewire doesn't have the concept of host and slave nodes. All nodes on a Firewire network are equivalent AFAIK.

If it were necessary to explictly allow direct memory access on a node whenever it was requested, you would not be able to plug a Firewire cable into a control-less box (for example) and do things with it, without first accessing the control-less box through a non-Firewire method to enable Firewire DMA.

Anyway, that's my ignorance on the subject. And as Adam Boileau says, it is a Feature, not a Bug. It is intended behaviour, so there must be a good reason (even if it is not the above).

Up to a point.

[SmallFurryCreature]

A lot of workplaces will have physically secured machines but nonetheless with ports open. People might notice if you remove a server from a rack to access its insides, but just plugging in a cable?

Yes offcourse, not that many machines have firewire and servers are even rarer (although my pc has a port) but still, there is a major difference between the access needed to open a PC and gets its HD and just plugging in a cable.

See it as the difference between having to steal secret documents and being able to copy them at the spot.

If this tools indeed works in seconds then that is a lot faster then opening up a PC, taking out its HD, installing it in another machine, breaking its security, reading the contents you want (which at this point would give you only the contents on the HD, not the network), re-installing it and closing the cover and removing every trace of your access.

A lot of security is about inconvenience. Safes ain't rated for being unbreakable, but how long it takes to open them. ANY safe can be opened, the trick is making the process take so long that it can not be done without being found out. Thanks to MS, breaking its security has just become a lot more convenient.

Re:Breathtaking Arrogance or Stupidity?

[TheRaven64]

It's not Microsoft's fault, it's a hardware problem. FireWire is a peer-to-peer protocol with commands for using the DMA controller. Any device plugged in via a FireWire port can issue DMA requests. It can dump the entire contents of (physical) memory and write data at arbitrary locations. A FireWire controller ought to only permit DMA to and from regions the driver allowed it to, but most don't. The only work around for this is to either disable FireWire or use something like the Device Exclusion Vector on modern AMD chips to block the device's access to memory.

Re:Also affects OS X and linux

[JasterBobaMereel]

It sounds like it is a problem with firewire and therefore any system which uses it?

Not to say it should not be patched in all systems, but surely this would have had to be written into the driver deliberately for it to work, so the real question is why firewire requires direct access to the system memory (and potentially passes this onto the external device) when USB does not?

Re:host memory!

[Jah-Wren Ryel]

So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

Well, for one thing, it should make cracking any of these "untrusted computing" DRM schemes pretty trivial.

Probably for lower overhead

[Sycraft-fu]

One of the things I always hear in the USB vs Firewire debates is how much lower overhead Firewire is. In informal testing, this certainly seems to be the case. Well, one of the reasons it might be is if it has DMA. You'll find that's how a lot of PCI hardware works. It can read and write directly to memory, it doesn't have to do things through the processor. Keeps system load much lower, it'd quickly peg the CPU if it had to deal with shuffling around all data on the system. However, it also can lead to problems, of course.

Well, if Firewire has the same capability, it would explain why it is much lower overhead than USB, but it would also allow for things like this.

In general, DMA is probably something that needs to be looked at being cleaned up/reworked. It is a non-trivial cause of system instability: Hardware goes nuts (or maybe driver orders hardware to so something stupid), craps on memory it shouldn't system goes down. However anything like that is going to take a back seat to performance, at least in regular PCs. As nice as it would be to have the CPU fully in charge of everything, people aren't going to put up with it if it means a 10x drop in performance.

Re:Physical access

[SharpFang]

Depends on the length of the (fire)wire. ;)

In case of most of hardware with mid-to-high physical security you need some 15 minutes of totally unsupervised access, it involves removing the case (to reset the BIOS password), rebooting the system (sometimes by power cycling) and generally implies very dirty and easy to detect hack - you do gain the access but you're not stealthy at it.

You plug the inconspicuous cable in the side/back of the PC, stash the laptop under the desk, and walk away whistling quietly. Then you sit down, access your laptop from another one through wi-fi then proceed to download contents of the compromised box, over the firewire cable.

Re:Done previously

[cobaltnova]

As for Debian, it looks like unstable firewire stack implementation (JuJu) handles the security issues. [nabble.com] However, that same article suggests that Lenny (the next version of Debian) will probably be released with the vulnerable, stable stack because it has more compatibility.

Re:Yes, yes, another anti-windows story

[Burz]

Actually, no.

Adding a firmware password to my PPC Macs puts them into a heightened security mode that turns off Firewire DMA (and was tested specifically with the hack you referenced). I would expect the Intel units to have this feature also. And the new Linux firewire driver [kerneltrap.org] tackles the DMA vulnerability issue too.

What I've read on the subject so far indicates that most or all Firewire chipsets allow operation without DMA, and that it is possible to secure the DMA modes by programming the memory controller to restrict access to specific buffers

FWIW, Apple was similarly "cagey" (actually silent) on the issue, but at least gave us the ability to secure the port through openfirmware.

What I would worry about more are the DMA interfaces that no one is discussing re: security... PCMCIA/PCCard and other hot-swappable ports (PCI-X? eSATA?) that support bus mastering. I'm pretty sure that non-USB-implemented CF slots are a risk.