One of these days, the folks who write dictionaries are going to list "secure" as an antonym for "personal computer." After all, we recently learned that a can of compressed air can be used to break full-disk encryption like Windows Vista's BitLocker and MacOS's FileValut. And now, thanks to a security researcher from New Zealand, we're learning that FireWire ports also offer an attack vector. Ouch!
Meet 'Metlstorm' and His Attack Program, winlockpwn
Adam 'Metlstorm' Boileau is the creator of winlockpwn, which enables a Linux-based computer to disguise itself as an iPod, connect to a Windows-based PC's FireWire port and take it over, regardless of whether it's password protected. Boileau, despite his hackerish nickname, is actually a well-known security consultant.
After demonstrating winlockpwn at a security conference back in 2006, Boileau waited 18 months to see if anyone would address the vulnerability his utility exposed. Nobody did, and with the recent coverage of the physical attack on full-disk encryption, he decided it was time to go public in a March 4 interview on the Australian-based Risky Business security podcast (it starts at 12:36 into the podcast). If you're not a big podcast fan, read about it here.
How winlockpwn Works
Simply put, winlockpwn works by exploiting a well-known feature (not a bug, thank you very much!) of the FireWire (aka IEEE-1394 or i.Link) interface: because FireWire is an expansion bus (not a peripheral bus like USB), it's designed to communicate directly with memory.
Boileau's program uses some "secret sauce" to make a Linux-based PC look like a harmless iPod (enabling it to bypass access control programs that block certain types of devices from connecting to a PC) but after the PC recognizes the fake "iPod," winlockpwn can launch software to bypass passwords and create other types of havoc.
Other operating systems, including Linux and MacOS, have long been known to be vulnerable to similar hacks, but winlockpwn is the first FireWire-based attack aimed at Windows PCs. Windows XP is the primary target, but Information Week reports that an Austrian-based security company has created a similar attack method targeting Vista.
Script Kiddies Need Not Apply
Thankfully, winlockpwn isn't available as a preconfigured .exe file - Boileau has published it as a research tool for serious security researchers (but, let's face it, serious hackers will also "benefit" from it too). It requires a Linux-based PC with a FireWire port, the Python programming language, and some programming libraries. A complete list of requirements is found in Boileau's original 2006 presentation "Hit by a Bus: Physical Access Attacks in Firewire" available in PDF form on his website.
Winlockpwn's ability to attack a Windows-based PC via the FireWire port is based on the FireWire port's being active. So, the easiest way to stop winlockpwn is to disable your FireWire ports when they're not in use! Use BIOS routines to disable onboard FireWire ports, and the Windows Device Manager to disable card-based ports. Because winlockpwn can also be launched after plugging in a CardBus (32-bit PC Card) FireWire card into a "locked" PC, use Device Manager to disable the CardBus slots when they're not in use. If you'd rather use access control software to secure your PC, keep in mind that winlockpwn imitates 'harmless' devices, so you'd better configure the software to permit no access by any type of FireWire device (until it's time to plug in your DV camcorder or FireWire drive or scanner, that is).
Panic? No! Reasonable Caution? Yes!
So, how should you react to the news that winlockpwn is stalking the Windows PC world? It isn't necessary to sleep with your laptop under your pillow, but you should secure it when you're not using it. Keep your office door locked when you're on break or at lunch, and put those FireWire ports to sleep when you don't need them for video capture or editing jobs.
Getting ready to take Vista for a spin, now that SP1's almost here? Arm yourself (or your office mates or family) with an easy-to-read guide that gives you the inside track: Maximum PC Microsoft Windows Vista Exposed, available at Amazon.com and other fine bookstores.