FireWire Ports Are Big Security Holes for Windows Users
A security consultant from the other 'land down under' has released a tool that makes FireWire (IEEE-1394) ports on your Windows PC a big security risk. Here's how the attack works - and how to stop it, too.
And Now Is the Winter of Our Discontent...with PC Security
The Winter of 2007-2008 hasn't been a good one for PC users concerned about security. First, researchers at Princeton University discovered that full-disk encryption features like Windows Vista's BitLocker and MacOS's FileVault could be bypassed by freezing an encrypted system's memory chips with a can of compressed air immediately after shutting down the computer or while the system was in sleep or standby modes.
Now, Adam 'Metlstorm' Boileau, a New Zealand-based security researcher, has released a tool that enables a Linux-based system to attack and control a Windows-based system through its FireWire (IEEE-1394a) port - even if the system is password-protected!
Why Release an 18-Month Old Hack into the Wild?
The hack isn't exactly new. Mr. Boileau originally demonstrated the process at a September 2006 security conference in Sydney, Australia. According to an interview provided to ITRadio's Risky Business Podcast #52 on March 4 of this year, Boileau released the code now because the recent "cold boot" attacks against encrypted systems have users thinking about attacks against systems through physical access. The entire podcast is full of useful security news and tips, but to go directly to the interview, advance to 12:36.
How It Works
Boileau's winlockpwn attack tool, the source code for which is now available here, works by exploiting a built-in feature in the FireWire interface: FireWire is an expansion bus like PCI, PCI-Express, CardBus, and ExpressCard, not a peripheral bus like USB. Expansion buses, unlike peripheral buses, are granted direct access to memory via the direct memory access (DMA) controller in the host system. Thus, the ability to access a system's memory isn't a 'bug' in FireWire, but a feature.
As Boileau's "Hit by a Bus: Physical Access Attacks in Firewire" presentation (requires Adobe Reader) puts it, expansion buses are "limited only the creativity of the device engineer."
Boileau's creativity comes in his software's ability to lie about the nature of the device being attached to the FireWire port. Winlockpwn disguises the attacking system as an iPod (see page 21 of the presentation), enabling the software to bypass device-based restrictions on FireWire port usage, but enabling the attacking system to do very un-iPod tricks, such as bypassing passwords, installing spyware, and so on.
Who Needs to Worry About winlockpwn?
Winlockpwn was designed to attack Windows XP systems with FireWire ports. Although FireWire ports aren't nearly as common as USB ports, many recent systems include integrated FireWire ports, and many more have add-on cards with FireWire ports. Both types of systems are vulnerable.
Windows Vista users don't need to look smug, though. Some experiementers report success attacking Vista systems with a modified version of the attack, and some have also done it by plugging in a CardBus FireWire card and attacking the system after the device was installed.
What You Need to Run Winlockpwn
Although winlockpwn targets Windows-based systems, it runs on a Linux-based system. For a complete list of requirements, see page 31 of Boileau's "Hit by a Bus: Physical Attacks with Firewire" presentation. The source code and libraries, as well as the presentation, are available here.
Protecting Systems from winlockpwn and Similar Exploits
Now that the cat is out of the bag after an 18-month delay, what can you do to protect your systems from this or similar threats? First, a list of what doesn't work:
- Password protection can't stop winlockpwn because it attacks memory
- Device-based restrictions don't work either because winlockpwn enables attacking systems to masquerade as harmless devices
- Although winlockpwn is the first attack against Windows-based PCs via the FireWire port, most other desktop operating systems have been vulnerable for some time, again because of the nature of the FireWire expansion bus
So, what can you do to protect a system running FireWire from FireWire-based attacks?
- Disable your integrated FireWire ports when you don't need them: restart the system, access the system BIOS setup, and disable the ports. Save changes and exit.
- Disable the OHCI 1394 controller drivers in the operating system when you're not using FireWire ports: on a Windows-based system, disabling 1394 ports in Device Manager will do it.
- Disable the CardBus slots (in Device Manager or the equivalent) when you're not using CardBus cards on your laptop
- If you have security software that controls access to FireWire ports, such as products like DeviceLock, configure the software to block all access to FireWire ports from any device.
- Don't leave your system accessible to strangers; lock your office at breaks or lunch, and keep a careful eye on technicians when they check your system.
How Big a Deal is winlockpwn and Other FireWire Threats? The Debate Continues!
I've also posted on this topic at MaximumPC.com, where a lively debate's been occuring. Tell your stories here (and drop in there as well).