Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Firewire in the limelight InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Firewire in the limelight

Published: 2008-03-11
Last Updated: 2008-03-11 14:37:34 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Let's start with a warning: there's little news in here as it was made public by Adam Boileau at RUXCON 2006 (presentation), but went by relatively unnoticed by the big public at that time. Still in the aftermath of the "coldboot" paper the Firewire attack vector gained some more attention.

The short story: Just like (cold) DRAM doesn't behave like most of us thought, neither is Firewire that similar in features to USB. Firewire allows much more than USB. E.g. Firewire connected peripheral devices can read and write RAM on the host directly (using DMA, so the CPU doesn't come into play at all). So a Firewire device connected to e.g. a screen-locked machine could gain access to the machine or it's secrets like encryption keys.

The attack vector is physical access to a bus on a computer just like your PCI bus. Introduce a malicious device into a system and the entire system is untrustworthy. This however can also be used in forensic cases, and as such there is possibility for good use too.

How to defend against this attack vector becomes very complex as those which physical access could simply add a Firewire adapter to a PCCARD bus and wait for the OS to install the drivers and activate the card. Also noticing the attack isn't trivial as e.g. a (somewhat modified) iPod can be used to perform the attack.

Firewire is also known as IEEE-1394 or "iLink" (Sony).

UPDATE: Thorsten wrote in to reference the even earlier work by Max Dornseif, who published about this attack back in 2004 at PacSec and 2005 at CanSec.

--
Swa Frantzen -- Gorilla Security

Keywords:
0 comment(s)
Diary Archives