A security consultant from the other 'land down under' has released a tool that makes FireWire (IEEE-1394) ports on your Windows PC a big security risk. Here's how the attack works - and how to stop it, too.
The Winter of 2007-2008 hasn't been a good one for PC users concerned about security. First, researchers at Princeton University discovered that full-disk encryption features like Windows Vista's BitLocker and MacOS's FileVault could be bypassed by freezing an encrypted system's memory chips with a can of compressed air immediately after shutting down the computer or while the system was in sleep or standby modes.
Now, Adam 'Metlstorm' Boileau, a New Zealand-based security researcher, has released a tool that enables a Linux-based system to attack and control a Windows-based system through its FireWire (IEEE-1394a) port - even if the system is password-protected!
The hack isn't exactly new. Mr. Boileau originally demonstrated the process at a September 2006 security conference in Sydney, Australia. According to an interview provided to ITRadio's Risky Business Podcast #52 on March 4 of this year, Boileau released the code now because the recent "cold boot" attacks against encrypted systems have users thinking about attacks against systems through physical access. The entire podcast is full of useful security news and tips, but to go directly to the interview, advance to 12:36.
Boileau's winlockpwn attack tool, the source code for which is now available here, works by exploiting a built-in feature in the FireWire interface: FireWire is an expansion bus like PCI, PCI-Express, CardBus, and ExpressCard, not a peripheral bus like USB. Expansion buses, unlike peripheral buses, are granted direct access to memory via the direct memory access (DMA) controller in the host system. Thus, the ability to access a system's memory isn't a 'bug' in FireWire, but a feature.
As Boileau's "Hit by a Bus: Physical Access Attacks in Firewire" presentation (requires Adobe Reader) puts it, expansion buses are "limited only the creativity of the device engineer."
Boileau's creativity comes in his software's ability to lie about the nature of the device being attached to the FireWire port. Winlockpwn disguises the attacking system as an iPod (see page 21 of the presentation), enabling the software to bypass device-based restrictions on FireWire port usage, but enabling the attacking system to do very un-iPod tricks, such as bypassing passwords, installing spyware, and so on.
Winlockpwn was designed to attack Windows XP systems with FireWire ports. Although FireWire ports aren't nearly as common as USB ports, many recent systems include integrated FireWire ports, and many more have add-on cards with FireWire ports. Both types of systems are vulnerable.
Windows Vista users don't need to look smug, though. Some experiementers report success attacking Vista systems with a modified version of the attack, and some have also done it by plugging in a CardBus FireWire card and attacking the system after the device was installed.
Although winlockpwn targets Windows-based systems, it runs on a Linux-based system. For a complete list of requirements, see page 31 of Boileau's "Hit by a Bus: Physical Attacks with Firewire" presentation. The source code and libraries, as well as the presentation, are available here.
Protecting Systems from winlockpwn and Similar Exploits
Now that the cat is out of the bag after an 18-month delay, what can you do to protect your systems from this or similar threats? First, a list of what doesn't work:
So, what can you do to protect a system running FireWire from FireWire-based attacks?
How Big a Deal is winlockpwn and Other FireWire Threats? The Debate Continues!
I've also posted on this topic at MaximumPC.com, where a lively debate's been occuring. Tell your stories here (and drop in there as well).