Windows passwords easily bypassed over Firewire
By Nilay Patel 
posted March 4th 2008 1:44PM
posted March 4th 2008 1:44PM
All of the sudden we're starting to see more and more attacks take advantage of what's stored on your computer's RAM -- the latest, from New Zealand's Adam Boileau, allows an attacker to unlock Windows passwords in a just a few seconds using a Linux machine connected over Firewire. Unlike those disk encryption attacks we saw that required a reboot, Boileu's attack works while the target computer is running, tricking Windows into allowing full write access to RAM and then corrupting the password protection code. That's a little scary -- but other researchers say that it's not a traditional vulnerability, since direct memory access is a feature of Firewire. Still, we're sealing up all of our ports with Silly Putty starting today, that ought to stop 'em.Update: Apparently this has been demonstrated on OS X as well -- it looks like Firewire's direct memory access is the common vector here.
[Thanks, Drew]
*Buys a few Linux loaded EEE PCs..*
.Rawr! >:3
"All of the sudden..."
Come on. You're a writer!
I'll forgive typos, even misspelled homophones...but "all of the sudden"? What is "the sudden"? I don't like being grammar police online, but that's as bad as "supposeBly".
all hail mighty silly putty
I don't think the problem is in direct memory access. The problem is that you shouldn't be allowed to write just ANYWHERE in RAM. What the hell is the point of segment protections or PXE or whatever they are called these days? Any OS worth a damn (and it should be all of them by now) has the ability to protect a region of memory from tampering through hardware means (CPU support). So how is this happening, then?
That's the whole point. Firewire bypasses the CPU.
Oh I see. So they bypass the OS at the hardware level, the OS never even sees the data. Wow, I didn't think about it that way.
"Cut DMA and yoor computer will die processing network trafficing!"
Yes, but the difference is that your ethernet chipset controls the memory access rather than the remote machine. A network machine cannot request a dump of memory over ethernet (unless there is a serious bug in your chipset). There is no such arbitration with firewire. Firewire treats any external entity as a trusted source for hardware access which is simply a bad idea from a security standpoint. From a security standpoint there is never a reason to trust an external source with DMA. For home users this isn't an issue (which is likely why Apple didn't care when authoring Firewire) but for corporate users where insider attack is a very real possibility this is a huge issue.
"For home users this isn't an issue (which is likely why Apple didn't care when authoring Firewire)..."
Apple originally developed firewire for a much different intended use than it has today. Then they shelved it. Sony picked up the technology because it had a specific need i.e. DV video. In Apple's original application and in Sony's, such security issues apparently weren't a concern. Apple did not "author" firewire for home users at all.
As a complete aside, has anyone else noticed worse than normal buggy behavior from the comment system on this post? In IE 7 there seems to be a bug where if you hit reply after the page has refreshed from posting a comment, it doesn't properly parent the reply (it gets its own post rather than a sub post). Aware of that I specifically clicked reply a second time and made sure it showed up in the comment area. The first comment posted thus still got the top level article as a parent. The second attempt parented to a completely different comment than the one I replied to. What the heck engadget?
"In IE 7 there seems to be a bug"
Found your problem...
Seriously, this is a feature that makes FireWire better since it doesn't take away from CPU, and if it requires direct access then it's not that hard to tell who it is, just follow the cable from your computer to the one at the other end of the connection. Maybe it's a good thing that FireWire didn't catch on for networking and is primarily for peripherals now
"All of the sudden" "you're" grammar "must of" crapped out.
Physical Access == Root Access anyway.
I see lots of posts to this effect, but I think you're all missing the point. Sure if I have physical access to your system I could take apart your computer, reboot it to a USB drive, or whatever - those all require me to restart your computer. With this attack I can easily figure out your password in a very short time, log in as you, and do whatever I wanted. The ability to detect that is going to be much lower than "Hey I don't remember leaving the case off my computer"
Moreover this attack highlights just how insecure firewire is. Allow a remote device to read RAM is just foolish - the implications of being able to walk up to say a server that is processing credit card data and just grab it from ram with no authentication is very frightening.
I'm not missing the point, I'm reminding everyone of a very basic security principle - if someone has physical access to a machine, they can own it. This is just one more tool for their arsenal. And, by the way, I know a guy who was doing this about 3 years ago.
So, josh, all this whining about how bad firewire's DMA requirements are and then you claim that it doesn't matter anyway?
BTW, physical access does not mean root access. Physical access is a lot less secure but it's not totally insecure. Depends on the system.
A computer system could protect its own memory while still implementing an insecure DMA spec. Certain operations may not result in the expected result but that would be a good thing. I'm not familiar with firewire's DMA requirements but an OS *could* prevent its internal data structures from being overwritten and still support all firewire functions useful to the user. A well-intentioned firewire device has no reason to access all target memory for read/write.
We don't have to accept crap just because it's physical access.
I guess some people just have to turn everything into an argument.
And some people have to post nonsensical and contradictory comments as though they are experts.
Craig, I get the feeling you're confusing me with the other Josh that's been commenting on this post.
All I'm saying is that if someone has physical access they can do anything. This is yet another way they can do that, that's all.
Memory protection doesn't help in this case as DMA transfers are via physical addressing, not virtual. This does present a burden on the software to resolve virtual pages from different processes into physical pages, but it's far from impossible.
There was a MacHack about 8 years ago called FireStarter that made use of FireWire DMA to draw flames over the bottom portion of another Mac's screen just by plugging in a Firewire cable. it worked by guessing the base address of the display buffer and just writing into it.
I made a modification to that program that instead read the complete contents of the buffer and did so in a loop. I was able to record the screen pretty effectively at about 10 fps. Using an iPod (back when they used FireWire) with linux firmware installed, you could make a pretty effective screen recorder hidden in plain sight. "Hey, could I charge my iPod on your machine for a while?"
"Memory protection doesn't help in this case as DMA transfers are via physical addressing, not virtual. This does present a burden on the software to resolve virtual pages from different processes into physical pages, but it's far from impossible."
Some IO busses do provide memory translation and protection and some IO devices include hardware for that purpose. It may be the case that the platforms discussed here lack the necessary hardware or software support for it. It's not always the case, though, that physical memory can't be protected from DMA masters.
Wait-a-minute, you mean someone could hack into my PS2 via iLink? e-gads!
For all i remember USB has DMA as well , the only thing is you have to connect an USB host to the target. In firewire there is no host/slave so the attack has been possible off old iPods with firewire , but not off iPods (or anything) with usb because not many devices have host capabilities.
Get a gp2x or something and it might work.
Typical Engadget sensationalism. Would it hurt to change the title of the article even slightly to make it sound less like a Windows-only exploit?
Dear oh dear...... Fuck off, I'm fed up of you ignorant bias.. as you have already been told the fault is with Firewire, then you go and do a lil 'Update' line in the article... how about changing the fucking headline? Misleading, no?
What a bunch of jokers you guys are! I'm laughing out loud right about now, no really I am
Engadget, any chance you can chuck us a download link?
Firewire is worthless. Just disable it in the BIOS.
Why not update your title as well to include OS-X since the current title no longer accurately represents the discovery. Someone just perusing the titles (say via RSS) will incorrectly believe themselves unaffected by this exploit.
MacBook Air: world's safest?
(no firewire, no removable memory, etc)
:p
Engadget is a joke. I now find myself coming here for the inaccurate reports and bumbling commentary.... it's funny to see how crap these guys are at their jobs.
I used to dismiss a lot of criticism of blogs from people who felt they were amateurish sources. Sticking up for blogging, in effect. Coming to Engadget has pretty much validated those criticisms.
You think this is article is amateurishly stupid, I remember when someone here at Engadget reviewed a Dell notebook last year and commented that the genuine Windows sticker look burned and tattered as if accidentally damaged. I am totally serious: http://www.engadget.com/2007/08/23/mans-xps-m1330-arrives-sans-os-quality/ (7 lines down). Come on!!! I don't know how any of the readership could let you guys off the hook so easily for not recignizing what a genuine Windows seal looked like.
Yeah, I know the irony. It looks like the crappy grammar is contagious.
Firewire doesn't unlock Windows passwords: Linux users with Firewire unlock Windows passowrds.
All of a sudden it looks like the Macbook air is the securest computer on earth! between it soldered on ram and no firewire and i guess OS X doesn't hurt, if you believe there bullshit. Plus it's only a half a lie when they say it's "the world's thinnest notebook." (other keywords: on the market)
Now I have found a use for the Eee lappies!
"Well the same is true of OSX forget your password adn you can go ahead and boot a OSX install disc and then reset it."
Little do you people know about OSX. There is a way to prevent this and Apple them selves provided it. Its on the OSX install disc, you can run this app that came on the disc and you can password protect your mac from ANY install discs being booted. You can google this or find it on the mac forum.
Oh and one more thing macs also has an option to use secure virtual memory. So pretty much macs can totally avoid this lame attack.
So very incorrect. Secure virtual memory does not protect against this type of attack.
It is just a matter of time and hackers figure out access. http://hotcookies.net
Dornsief did this years ago on macs.
Moreover wireless usb has something called R-DMA (the R stands for Remote).
This is really old hat. Way to reinvent the wheel.
This is old news. I saw adam demonstrate this at ruxcon 2006.
This is a very interesting read. I also heard BlingCart is making a shopping cart software with this technique aswell.
Before I stop bothering to come here since you've done such an atrocious job actually doing any fact checking on this, (so who knows what other garbage you'll post as news on this site) I thought I'd reinforce that this isn't a Windows specific exploit. It's an exploit of a Firewire feature and thus also works on OSX and Linux.
Regarding OS X: Setting the OpenFirmwarepassword disables this attack vector.
Yes, the OF-PWD can be erased. But doing that will eliminate the memory content the attacker is so eager to get.
The Frozen RAM-Problem is much harder to cope with. The Firewire-Attack is rubbish in OS X.