A New Zealand security researcher has published a software
tool allowing attackers to quickly gain access to Windows systems via a
Firewire port.
The tool, which can only be used by attackers with physical
access to a system, comes shortly after the publication of research on gaining
access to encrypted hard drives via physical access to memory.
Researcher Adam Boileau, a consultant with Immunity,
originally demonstrated the access tool at a security conference in 2006, but
decided not to release the code any further at the time. Two years later,
however, nothing has been done toward fixing the problem, so he decided to go
public.
"Yes, this means you can completely own any box whose
Firewire port you can plug into in seconds," said Boileau in a recent blog
entry.
An attacker must connect to the machine with a Linux system
and a Firewire cable to run the tool.
The tool, called Winlockpwn, allows users to bypass Windows
authorization, was originally demonstrated at Ruxcon in 2006 at a talk called
"Hit By A Bus: Physical Access Attacks With Firewire".
At the time, Boileau also demonstrated some of the malicious
uses of the tool, but said he wouldn't be releasing the code for those attacks.
The attack takes advantage of the fact that Firewire can
directly read and write to a system's memory, adding extra speed to data
transfer. According to Boileau, because this capability is built into Firewire,
Microsoft doesn't consider the problem a standard bug.
On the other hand, Boileau said he feels PC users need to be
more aware of the fact that their systems can be unlocked via Firewire.
"Yes, it's a feature, not a bug," Boileau stated.
"Microsoft knows this. The OHCI-1394 spec knows this. People with Firewire
ports generally don't."
Microsoft was not immediately available for comment. In the
past the company has downplayed security problems that require physical access.
Firewire has become common on Windows systems in the past
few years, and is especially prevalent on laptops.
Researcher Maximillian Dornseif demonstrated a similar exploit
on Linux and Mac OS X systems at the CanSec conference in 2005, connecting to
those systems via a malicious iPod and Firewire.
According to security researchers, the problem can be
remedied by disabling Firewire when not in use.