Windows passwords easily bypassed over Firewire
By Nilay Patel 
posted Mar 4th 2008 1:44PM
posted Mar 4th 2008 1:44PM
All of the sudden we're starting to see more and more attacks take advantage of what's stored on your computer's RAM -- the latest, from New Zealand's Adam Boileau, allows an attacker to unlock Windows passwords in a just a few seconds using a Linux machine connected over Firewire. Unlike those disk encryption attacks we saw that required a reboot, Boileu's attack works while the target computer is running, tricking Windows into allowing full write access to RAM and then corrupting the password protection code. That's a little scary -- but other researchers say that it's not a traditional vulnerability, since direct memory access is a feature of Firewire. Still, we're sealing up all of our ports with Silly Putty starting today, that ought to stop 'em.Update: Apparently this has been demonstrated on OS X as well -- it looks like Firewire's direct memory access is the common vector here.
[Thanks, Drew]
Another reason why USB is superior. All hail USB 3.0's coming.
Although to be fair thats like saying your pc is harder to hack because it hasn't got a network card. Superiority through inferiority
"Although to be fair thats like saying your pc is harder to hack because it hasn't got a network card. Superiority through inferiority"
No, it's like saying your network shouldn't have direct memory access, which you, it shouldn't. Networking does not require DMA, there is no valid reason that one production machine should be able to directly access another production machine's memory (the operable word being production; if you are doing software development there are plenty of reasons that might be useful). Surprise surprise, that is a huge security risk and it always has been.
But hey, DMA is done for perfomance. Cut DMA and yoor computer will die processing network trafficing!
You will be able to accomplish the same thing on a notebook with Cardbus or Expresscard (the PCI version), since the card can request a DMA and access all memory.
"Another reason why USB is superior"
Another?
Ignatius was probably trying to choose "Ignoramus" as his name, but didn't know how to spell it properly.
Wow. Flaming me by making a pun on my name? Yeah, that's the way to be cool.
Yah meanwhile USB 2 is slow as shit for hard drive access. Sorry but I'll keep my FW800 drive and its stupidly fast transfer rates.
Hmm...I wonder if something similar can be performed on OSX? I thought I heard something about a MBP/PowerBook firewire exploit?
Quick Google turned up this: http://www.codeangel.org/article/crack_a_mac_with_firewire
I guess it's a major firewire problem...wonder if it affects Firewire 800 as well?
Did you know you could reset the administrator password on any mac by using the install DVD?
GASP!
No, I didn't. I only know the basics on OSX. While the demo just showed an admin password being changed, the possibilities are much more severe. But just like this one for Windows, it requires physical access to the computer...so it's not something to be overly concerned about.
the firewire specification (sorry IEEE 1394 spec) calls for DMA. Any system that implements direct memory access per the specification (so pretty much everybody) is susceptible to attacks that focus on direct memory access.
If you have physical access to a Windows PC, you can literally do anything to it. It's just a matter of how quickly you can get it done. That Firewire approach sure is convenient though...
Silly Putty won't stop that. That's just silly. You're silly.
Hammer'll do just fine.
Hi Grimey old buddy.
Take a deep breath Grimey.. the high voltage wires _will_ kill you :)
take it you saw that episode tonight on c4? that is a legendary episode
Or you could just disable the port in bios. Well of course unless your bios is feature thin then this could be a problem...
Yay for Thinkpads and being able to disable ports!
Don't even try this on a Dell ;)
How many PCs come with firewire now anyways? I know mine sure doesn't haven't, and most of the non-Macs I've seen around campus don't have it either. It seems like this attack might be a bit limited.
pretty much every notebook has Cardbus and/or Expresscard. Just slot in a Firewire adapter. Although admittedly (at least on windows) it will just be sitting there asking for a driver disk.
Are you serious? EVERY laptop I see has a firewire port.
I've got a Toshiba Satellite notebook (albeit it's labeled "iLink") and two HP desktops purchased in the past 3 years that have 2 firewire ports (1 in front, 1 in back). The thing is I have absolutely no firewire devices so I've disabled the ports since day 1.
In other news if you allow someone physical access to your computer they might steal it.
Arg, my reply to the follow up comments got dropped below. The gist of it was that while your ethernet chipset has DMA, your network through it does not. You have to trust the internal components of your system to work correctly. In firewire what you are saying is that you now trust external components to also behave correctly, which in the corporate world where insider attacks are very real, is a bad decision. In this case it is your network rather than your network controller that has DMA.
Yeah, if someone busts into my house I have more to worry about than violation of my Firewire ports...
According to slashdot, Adam Boileau brought this to the attention of MS years ago. After nothing was done, he decided that the way to fix the problem was to free up his tool.
(Really trying hard not to be a microsoft hater)
That's a load of crap. It is a flaw in the very design of firewire, as originally authored by Apple. The primary difference between firewire and USB is that firewire does not require the CPU to control all of its actions. To get around needing the CPU as an arbiter for system access the specification specifically requires direct memory access. For a vendor to fail to implement DMA their implementation just won't work with any device expecting it, and MS would have been pounded for deviating from the standard (and get flamed for that).
This attack literally cannot be fixed without completely throwing out the current firewire spec and starting over (at which point, just use USB), and throwing out every device implemented to spec. The only thing MS can be blamed for is implementing an inherently insecure specification authored by someone else (it would never have made it through MS's SDL if written in house).
And to be clear, this attack is possible against any system that implements firewire. If this author was responsible he would have lobbied for the specification to be altered rather than a particular vendor implementing the specification to break compatability.
Anytime Anyone has *physical* access to any machine, you will never have security. This is why servers that house critical data are in secure, lights out datacenters with guards on site 24/7, card readers, cameras present, palm readers, and bulletproof glass. Why would MS respond to something that is working as the specifications of the standard are working as intended?
Physical secutiry will always be a downfall in overall security, no amount of logical security will ever take it's place.
josh, you're changing your tune as your comments progress. At first you said that networking should not have DMA (which is laughably false), then said that ethernet had DMA but "the network" does not, and now say that the problem is the firewire's specification is inherently insecure.
DMA, specifically zero-copy, is the holy grail of networking. Without it, throughput will be capped. To implement zero-copy, not only do the devices need DMA but "the network" needs it, so DMA has every business being part of networking. The problem here is a crappy implementation of DMA in networking, not an example of why DMA shouldn't be part of it.
wont someone please think of the children?!
Firewire had children? Why wasnt I invited to the baby shower?
Homemade boot cds with locksmith programs or password-changer on a flash drive sounds easier.
good call dude. I use ERD commander's locksmith all the time... that program is the shit
Engadget, engadget, engadget. Stop taking stuff directly from Slashdot and posting it here -- don't you know they're rabid anti-MS fanboys?
This is a feature of Firewire. By design it allows direct access to the DMA controller, and this 'bug' is present in Linux, BSD, OS-X, Windows, !
So at least do a little reasearch before posting this stuff..
"don't you know they're rabid anti-MS fanboys?"
Isn't Engadget?
(Hint: Answer = no)
i dont need firewire because i'm homer simpson!
Shhh, this is the internet, you're Mr. X.
This "exploit" requires physical access to the machine. Not to mention, that one could use a password reset utility to boot from and accomplish the same thing.
Firewire has direct memory access because it was designed that way. It also allows for faster sustained transfers between devices because the CPU doesn't have to be involved. I like my firewire...or wait IEEE 1394, and I have enough smarts to keep my computer in a safe place to not allow for physical access by unauthorized persons.
If you read the original article as well as his website, this is a feature of Firewire, and the "vulnerability" exists on OSX, linux, windows and any OS that implements firewire according to the spec. This article should read "Bypass OS security with firewire" not only focusing on windows. But that is what I would expect from decent journalism...
Last year I sent my laptop in for repair but just before It got picked up I changed the password. When I got it back I had no clue what the new password was. As frustrated as I was formating was not an option since it would take one or two days to download all ther software I need and get it setup properly. So I sat on my desktop, lurked around the net and found a surprisingly easy way to clear the password in Vista.
It involves downloading a 34MB software which is then burnt on to a bootable disc. Boot the computer from the disc and after a few button presses you have cleared the password. Although you can just clear or change it, you can't see what it was. But still, it's incredibly easy and may I say unsafe? I still have the disc and can get into pretty much every XP or Vista computer which is password protected.
Well the same is true of OSX forget your password adn you can go ahead and boot a OSX install disc and then reset it.
send me a link. my fam is forever forgetting their pass. And I'm sick and tired of reinstalling. hit my email
That can't be accomplished quite as easily if you set an Open Firmware or EFI password. You'll need that password before you can boot off of any device (including the internal optical drive) other than your chosen startup volume.
With that in place, a Mac OS X system conforms to tighter security standards for workstation use, assuming the CPU itself is locked away safely.
Macsev,
You just need to alter the amount of RAM at start up then or press Ctr-Option-P-R if it hasn't been disabled. Of course one of those requires access to the CPU.
Windows Machines are also capable of having a BIOS password as well and assuming the CPU is locked up tight and away you won't be able to change that through any external command I know of(Have to remove the battery or switch a jumper to set the BIOS to default.)
Thank God for Thinkpads
ie. Startup password for mobo and hard drive encryption.
Yay security chip.
Old Dell computers did the same thing... except more poorly as they did not have a security chip and offered only a startup hard drive password.
Update: Apparently this has been demonstrated on OS X as well -- it looks like Firewire's direct memory access is the common vector here.
Apparently you've never heard of updating erroneous and misleading titles once folks with some real tech knowledge have set you straight.
Here, it's easy. I'll help! "Computer Passwords Easily Bypassed over Firewire." There, that wasn't so hard, was it? So get busy.
That's expecting entirely too much from this site.