Who's Afraid of the FireWire Port? Maybe - You!
Posted 03/10/08 at 09:16:49 AM by Mark Soper
Comments
Print
Email
Not a Good Season for PC Security
One of these days, the folks who write dictionaries are going to list "secure" as an antonym for "personal computer." After all, we recently learned that a can of compressed air can be used to break full-disk encryption like Windows Vista's BitLocker and MacOS's FileValut. And now, thanks to a security researcher from New Zealand, we're learning that FireWire ports also offer an attack vector. Ouch!
Meet 'Metlstorm' and His Attack Program, winlockpwn
Adam 'Metlstorm' Boileau is the creator of winlockpwn, which enables a Linux-based computer to disguise itself as an iPod, connect to a Windows-based PC's FireWire port and take it over, regardless of whether it's password protected. Boileau, despite his hackerish nickname, is actually a well-known security consultant.
After demonstrating winlockpwn at a security conference back in 2006, Boileau waited 18 months to see if anyone would address the vulnerability his utility exposed. Nobody did, and with the recent coverage of the physical attack on full-disk encryption, he decided it was time to go public in a March 4 interview on the Australian-based Risky Business security podcast (it starts at 12:36 into the podcast). If you're not a big podcast fan, read about it here.
How winlockpwn Works
Simply put, winlockpwn works by exploiting a well-known feature (not a bug, thank you very much!) of the FireWire (aka IEEE-1394 or i.Link) interface: because FireWire is an expansion bus (not a peripheral bus like USB), it's designed to communicate directly with memory.
Boileau's program uses some "secret sauce" to make a Linux-based PC look like a harmless iPod (enabling it to bypass access control programs that block certain types of devices from connecting to a PC) but after the PC recognizes the fake "iPod," winlockpwn can launch software to bypass passwords and create other types of havoc.
Other operating systems, including Linux and MacOS, have long been known to be vulnerable to similar hacks, but winlockpwn is the first FireWire-based attack aimed at Windows PCs. Windows XP is the primary target, but Information Week reports that an Austrian-based security company has created a similar attack method targeting Vista.
Script Kiddies Need Not Apply
Thankfully, winlockpwn isn't available as a preconfigured .exe file - Boileau has published it as a research tool for serious security researchers (but, let's face it, serious hackers will also "benefit" from it too). It requires a Linux-based PC with a FireWire port, the Python programming language, and some programming libraries. A complete list of requirements is found in Boileau's original 2006 presentation "Hit by a Bus: Physical Access Attacks in Firewire" available in PDF form on his website.
Stopping winlockpwn
Winlockpwn's ability to attack a Windows-based PC via the FireWire port is based on the FireWire port's being active. So, the easiest way to stop winlockpwn is to disable your FireWire ports when they're not in use! Use BIOS routines to disable onboard FireWire ports, and the Windows Device Manager to disable card-based ports. Because winlockpwn can also be launched after plugging in a CardBus (32-bit PC Card) FireWire card into a "locked" PC, use Device Manager to disable the CardBus slots when they're not in use. If you'd rather use access control software to secure your PC, keep in mind that winlockpwn imitates 'harmless' devices, so you'd better configure the software to permit no access by any type of FireWire device (until it's time to plug in your DV camcorder or FireWire drive or scanner, that is).
Panic? No! Reasonable Caution? Yes!
So, how should you react to the news that winlockpwn is stalking the Windows PC world? It isn't necessary to sleep with your laptop under your pillow, but you should secure it when you're not using it. Keep your office door locked when you're on break or at lunch, and put those FireWire ports to sleep when you don't need them for video capture or editing jobs.
----------------------------------------
Getting ready to take Vista for a spin, now that SP1's almost here? Arm yourself (or your office mates or family) with an easy-to-read guide that gives you the inside track: Maximum PC Microsoft Windows Vista Exposed, available at Amazon.com and other fine bookstores.
Firewire is useless - Warning Contains Ranting Comments...
Submitted by 1234 on Tue, 03/11/2008 - 6:40pm
Firewire is useless. It will allow someone to compromise my system but I am unable to Connect my PC to my cable DVR with a Firewire Cable. I am paying to record the tv shows to a hard drive, but I get nothing when I try to find a Vista x64 driver for the devices that show up. Can someone tell me why I shouldn't be able to copy a show from one drive to another when that is when I pay for the chance to record it to a hard drive in the first place, and the cable company doesnt want to let you swap out the drives either.
Great discussion, keep it going!
Submitted by Marcus_Soperus on Tue, 03/11/2008 - 4:05pm
Thanks to everyone who's commented on this story. You've all made excellent contributions to the general knowledge level on threats and exploits. Keep 'em coming!
-----------------------------------------------
It's amazing how illogical a business built on binary logic can be.
Submitted by Oh Yeah Sure on Tue, 03/11/2008 - 7:15pm
i would like to see my pc let me use my mac hd at fw800 speeds. microsoft vista sp1 would but i hear it does not
usb 3 will be cool someday - fw800 is here now
Submitted by mikeart03a on Tue, 03/11/2008 - 1:04pm
Heh, why does this not surprise me one bit? While XP does support networking via. FireWire, it's been a bit of a pain to get it working right. While you can daisy chain FireWire devices in general, you can't string a few PCs together using Windows.
Anyway, back on topic. For the most part, people don't use their FireWire ports on average and it would be a good idea to disable them. I've disabled all of mine on both my PC and Laptop via. the BIOS as well as in Windows. I also employ a firewall that monitors all processes at the kernel level and before anything can execute, it has to obtain my approval. A good firewall that does a similar job is COMODO firewall, we are currently employing it on our newer remote VPN clients.
- mike_art03a
IT Technician
Gov't of Canada
Submitted by Marcus_Soperus on Tue, 03/11/2008 - 4:03pm
Good points, mike from Canada. The FireWire networking support in XP was mainly for a quick-and-dirty two-station network (a sort of supercharged version of the old parallel-port Direct Cable Connection).
Here's the URL for COMODO: http://www.personalfirewall.comodo.com/
It looks like a useful alternative to ZoneAlarm and bundled firewalls - and it's free!
----------------------------------------
It's amazing how illogical a business built on binary logic can be.
Submitted by mikeart03a on Thu, 03/13/2008 - 2:30pm
Hell, you can use COMODO for business use as well! Tell me how many other free firewalls allow you to do that?
- mike_art03a
IT Technician
Gov't of Canada
Submitted by Kay Jay on Tue, 03/11/2008 - 5:30am
Well, good thing I disable the FireWire port on every one of my new builds - until and only during the time I'm actually going to use it for something - which is rarely.
Submitted by Marcus_Soperus on Mon, 03/10/2008 - 11:22am
Most PC users in a home or office situation are going to be concerned if a tech called in on a software-related task whips out a screwdriver to open the system. However, most of these users probably wouldn't blink if the tech connects a cable between the "diagnostic" system and the system with an alleged problem ("I just need to run some diagnostics, sir" or "These tests will just take a few moments, ma'am").
This type of exploit has "social engineering" written all over it, and that (along with the technical nature of the threat) is why it's dangerous. It doesn't "look" threatening - but it is.
It's amazing how illogical a business built on binary logic can be.
Submitted by damicatz on Mon, 03/10/2008 - 12:49pm
This is silly.
I can reset the passwords of any Windows computer simply by booting off a CD.
I can reset the password of a Mac OS X computer simply by holding Command + S while the computer is starting up which boots the computer in single user mode and allows anyone to change the root password without knowing the existing one.
I can reset the password of a Linux computer by appending single to the boot string (unless the person uses Grub and put a password on it, which is a whole different story).
There are many simpler and much faster ways to gain access to a computer that you have physical access to other than using firewire. So this exploit isn't really that big of a deal because if the attacker already has physical access to your computer, you've lost.
Submitted by Marcus_Soperus on Mon, 03/10/2008 - 2:05pm
I often keep a spare FireWire or USB cable dangling for a quick ad hoc connection to a peripheral. Now, my office is a private office and I keep it locked, but in a cubicle environment, leaving a FireWire cable available for a peripheral could make it very, very easy for the data thief next door to pull an unused cable, add an extension, plug in their Linux+winlockpwn PC, and presto! A system compromised by a user who never needed to touch the system itself, the keyboard, the CD/DVD drive, etc.
When you consider that Windows XP (but not Vista) supports networking over FireWire, there may be more unattended FireWire cables that nobody's keeping a close watch on than you might suspect.
Anyway, if nothing else, this exploit reminds everyone of why FireWire and USB are fundamentally different technologies and how the difference can be exploited.
I've disabled my FireWire ports until they're needed - and I recommend everyone do the same.
-----------------------------------------
It's amazing how illogical a business built on binary logic can be.
Submitted by b00tpwnz4ll on Mon, 03/10/2008 - 10:56pm
Yeah... You'd be astounded at how many peoplpe don't even know what firewire is, or maybe not, lol. Whenever people call me for internet tech support (work at an isp) they always like to tell me that they have a 1394 connection in the listed network connections, that it has a 169 ip, and that is why they can't access the internet. So this kind of exploit would be super easy to accomplish, as a previous poster mentioned (social engineering, etc) .... Pretty amusing stuff. Could possibly educate the masses on yet another part of thier computer by scaring them into getting the correct knowledge. There is no patch for human stupidity as someone was quoted as saying.
Submitted by pcfxer on Mon, 03/10/2008 - 11:03am
FreeBSD not affected. Why? Because, by default users with access to su/root are the only users allowed to mount "extra" devices.
Well, yeh...
Submitted by horzo on Mon, 03/10/2008 - 8:49am
There is no security without physical security. This is well known. "Exploits" that require physical access to the PC don't worry me all that much.
Hell, all someone who can touch your PC has to do to get access to your data is take it apart and walk off with your hard drive(s).
Submitted by sdcat on Mon, 03/10/2008 - 10:07am
horzo,
"There is no security without physical security. This is well known. "Exploits" that require physical access to the PC don't worry me all that much.Hell, all someone who can touch your PC has to do to get access to your data is take it apart and walk off with your hard drive(s)."
Why not just take(steal) the whole system case aways instead, if someone could open up a case without knowing?:p
It's harder...
Submitted by Caboose on Mon, 03/10/2008 - 10:44am
It's harder to get away with an entire system (think trying to steal a hotel TV by slipping it under your shirt)than with a single drive tucked into your pocket.
-= I don't want to be dead, I want to be alive! Or... a cowboy! =-
Must Read Articles
Feature
Review
Feature
Feature
Feature
Most Popular Articles
This Month's Issue
FEATURE Windows XP/Vista/7 Tips!FEATURE Monitor Roundup: 7 LCDs ReviewedHOW TOMaster PhotoshopFEATUREAMD's Awesome New GPUWHITE PAPEROrganic LEDs
Technology News
Computer Cooling Fans
Computer Cases
PC Game Controllers
PC Games
Computer Hardware
Headphones
MP3 Players
Stream Video
Computer Mouse
Monitors
Motherboards
NAS Storage
Networking
Laptop Computers
DVD Burner
Digital Cameras
Portable Storage
Computer Accessories
Smartphone
Antivirus Software
Sound Cards
Speakers
Computer Systems
Thumb Drives
Video Cameras
Video Card Reviews
Water Cooling
Gadgets
- Keyboards
© 2009 Future US, Inc. All Rights Reserved.