Networking

The Firewire hole

A while back, I wrote about how the humble USB port could be a possible vector for social engineering attacks. Today, I want to talk about the IEE-1394 Firewire which contains a vulnerability that is far more dangerous than the fallibility posed by the USB port.

A while back, I wrote about how the humble USB port could be a possible vector for social engineering attacks. A number of TechRepublic members countered that it is more of a "chair-keyboard" interface risk that should be addressed by means of proper user education -- and not something to be mitigated by awkward workarounds.

Today, I want to talk about a vulnerability that is similar in that it involves a port designed for external connectivity, yet it is far more dangerous than the fallibility posed by the USB port.

Let's look at the often ignored (and overlooked) IEEE-1394 Firewire (or iLink) port -- which allows a data rate of between 100 to 800 mbps, and which is found in practically all laptops, as well as many higher-end computers.

The problem

Before we start, I must say that this security loophole in Firewire has been around for at least the last couple of years. However, it wasn't an issue that was well-known.

A couple of weeks ago, though, the exploit source code of winlockpwn, which allows you to exploit Firewire to circumvent the user-password prompt in Windows was released. What followed was wide-spread experimentation and feedback, which proved the extreme vulnerability of this issue.

You see, while the USB port is considered a peripheral connect port for interfaces such as the serial and parallel ports, the IEEE-1394 Firewire (pdf) has been designed with loftier goals in mind - that of extending the system bus, much like the PCI, AGP, or PCMCIA standards. In order to shift data around at the envisioned blistering speeds, engineers designed Firewire to read and write directly into system memory.

Unfortunately, the security aspect of the paradigm falls flat when you consider that it is not such a good idea after all for Firewire devices -- which can be hot-plugged at will, to have access to system memory.

Vendors like Microsoft are aware of the problem that Firewire poses. However, the official response all around so far has been that they are merely adhering to the Firewire specifications and "this is a feature, not a problem."

Possible risks

Anyway, some of the things that this hole (pdf) could be exploited to do would be:

  • To bypass operating system authentication (winlockpwn)
  • Forensic memory imaging
  • Recovery of passwords and crypto keys from memory
  • Dropping of Trojans

If you are thinking that you are safe just because your laptop does not have a Firewire port, think again. According to reports of folks who have tried winlockpwn, a PCMCIA Firewire adapter card that is plugged in at the password screen auto installs successfully.

Due to increasing security awareness, there is a gradual shift towards hardware or operating system-based encryption. In fact, we should be seeing laptops that ship with build-in FDE (full disk encryption) hard disks have been available since last year.

However, all this is for naught if an insider is able to clone the entire disk image and then load it onto a similar system -- plus a Firewire port, and use this vulnerability to break past the password prompt into the encrypted data. Obviously this is only hypothetical and would not work against a properly secured facility with multiple levels of physical safeguards.

However, we might need to recalibrate our thinking to the new paradigm posed by Firewire.

Mitigation

Hypothetical risks aside, the vulnerability is thankfully not too hard to mitigate. The obvious solution to prevent an exploit is to lock the Firewire port down in the BIOS. Being able to do so depends on your hardware though, and it might not always be possible.

Epoxy is another option if your organization does not use Firewire, though hard to explain to your boss. There are also certain ways to lock down Firewire if you use other operating systems.

Forewarned is forearmed.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

6 comments
hsinsulation
hsinsulation

Firesleeve(Silicone Coated Fibreglass Sleeve) 1)Silicone rubber coated fiberglass sleeve(sleeving) - Protects hoses, cables and wires from molten metal splash, high heat hazards and occasional exposure to flame, in steel plants, glass plants, foundries, cutting and welding shops and wherever hoses, cables and wires may be exposed to high heat or occasional flame. Fireproof sleeve also may be used to insulate your race cars plumbing system. 2)Continuous protection to 500F, short term exposure thru 2200F Extremely flexible and conformable through out entire size range at temperatures -65F thru 500F. 3)Impede heat radiation of flame 4)Protect operator from burning by hot pipe 5)Impede heat lost and favor to saving energy 6)Moisture-proof, water-proof, resistance to oil and pollution 7)Color: red and blue mainly. 8)Bore diameter(mm):15,20,25,30,35,40,45,50,55,60,65,70,75,80,90,100,110,120,130;(Sizes from 1/4" I.D. to 6" I.D.) Yancheng Hengsheng Insulation Co.,Ltd Web: http://www.hsinsulation.com Email: hsinsulation@yahoo.com.cn Tel :+86-139-61986280 Fax : +86-515-88430696

The Scummy One
The Scummy One

Nice, maybe I will be able to get into a Vista bitlocked system afterall?

paulmah
paulmah

A while back, I wrote about how the humble USB port could be a possible vector for social engineering attacks. Today, I want to talk about the IEE-1394 Firewire which contains a vulnerability that is far more dangerous than the fallibility posed by the USB port.

groffg
groffg

It looks like the Firewire attack, along with other "online attack" vectors (where the OS is loaded), are feasible attacks against (or intended to bypass) FDE solutions like BitLocker. Off-line attack vectors like the "cold boot attack" are also options, provided the cryptographic key resides in RAM and the system is up (or the system does transparent authentication, like "basic mode" w/ TPM for BitLocker). Counter-measures: * Don't use transparent op mode ("basic mode" for BitLocker); i.e., you should be prompted for your password/PIN/USB key when you boot. * Shut down machine when not using. Avoid using standby, since (for most if not all FDE solutions) it does not require re-authentication. Note: for some FDE products (including BitLocker), hibernation mode is an acceptable alternative to shutting the machine down. * If possible/affordable, use hardware-based solutions like Seagate's Momentus drive. Alternately, use a product that supports using a TPM (again, like BitLocker) and use a PIN/password/USB/smartcard as a secondary token (the TPM serves the other useful purpose of pre-boot integrity checking of system/OS components). * Remember that security from online attack scenarios is still important. Enable DEP (based on NX/XD) for all programs; verify digital signatures of downloads; run as a restricted/limited user for daily computer use (use RunAs or UAC to elevate when needed); and then follow the "top 10" suggestions, like using a firewall, AV, etc.

dawgit
dawgit

No such luck. IEEE-1394 uses standard TCP/IP, (that's the cool part) and as such is blocked (or opened) by the standard Firewall. (but you already knew that) I don't know why this is making the rounds as something exciting now... Can't people read the standards anymore? -d

me19562
me19562

Wrong. IEEE-1394 don't standard TCP/IP. You should read the IEEE standard. What you can do is Networking over Firewire/IEEE-1394 as specify by the RFC 2734.