The Firewire hole
A while back, I wrote about how the humble USB port could be a possible vector for social engineering attacks. A number of TechRepublic members countered that it is more of a “chair-keyboard” interface risk that should be addressed by means of proper user education — and not something to be mitigated by awkward workarounds.
Today, I want to talk about a vulnerability that is similar in that it involves a port designed for external connectivity, yet it is far more dangerous than the fallibility posed by the USB port.
Let’s look at the often ignored (and overlooked) IEEE-1394 Firewire (or iLink) port — which allows a data rate of between 100 to 800 mbps, and which is found in practically all laptops, as well as many higher-end computers.
Before we start, I must say that this security loophole in Firewire has been around for at least the last couple of years. However, it wasn’t an issue that was well-known.
A couple of weeks ago, though, the exploit source code of winlockpwn, which allows you to exploit Firewire to circumvent the user-password prompt in Windows was released. What followed was wide-spread experimentation and feedback, which proved the extreme vulnerability of this issue.
You see, while the USB port is considered a peripheral connect port for interfaces such as the serial and parallel ports, the IEEE-1394 Firewire (pdf) has been designed with loftier goals in mind - that of extending the system bus, much like the PCI, AGP, or PCMCIA standards. In order to shift data around at the envisioned blistering speeds, engineers designed Firewire to read and write directly into system memory.
Unfortunately, the security aspect of the paradigm falls flat when you consider that it is not such a good idea after all for Firewire devices — which can be hot-plugged at will, to have access to system memory.
Vendors like Microsoft are aware of the problem that Firewire poses. However, the official response all around so far has been that they are merely adhering to the Firewire specifications and “this is a feature, not a problem.”
Anyway, some of the things that this hole (pdf) could be exploited to do would be:
- To bypass operating system authentication (winlockpwn)
- Forensic memory imaging
- Recovery of passwords and crypto keys from memory
- Dropping of Trojans
If you are thinking that you are safe just because your laptop does not have a Firewire port, think again. According to reports of folks who have tried winlockpwn, a PCMCIA Firewire adapter card that is plugged in at the password screen auto installs successfully.
Due to increasing security awareness, there is a gradual shift towards hardware or operating system-based encryption. In fact, we should be seeing laptops that ship with build-in FDE (full disk encryption) hard disks have been available since last year.
However, all this is for naught if an insider is able to clone the entire disk image and then load it onto a similar system — plus a Firewire port, and use this vulnerability to break past the password prompt into the encrypted data. Obviously this is only hypothetical and would not work against a properly secured facility with multiple levels of physical safeguards.
However, we might need to recalibrate our thinking to the new paradigm posed by Firewire.
Hypothetical risks aside, the vulnerability is thankfully not too hard to mitigate. The obvious solution to prevent an exploit is to lock the Firewire port down in the BIOS. Being able to do so depends on your hardware though, and it might not always be possible.
Epoxy is another option if your organization does not use Firewire, though hard to explain to your boss. There are also certain ways to lock down Firewire if you use other operating systems.
Get IT tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic's free newsletters.
Print/View all Posts Comments on this blog
The Firewire hole paulmah@... | 03/27/08 RE: The Firewire hole The Scummy One | 03/27/08 Nope... dawgit | 03/27/08 RE: Nope me19562 | 03/28/08 Yep... groffg@... | 06/03/08