Firewire in the limelight

Let's start with a warning: there's little news in here as it was made public by Adam Boileau at RUXCON 2006 (presentation), but went by relatively unnoticed by the big public at that time. Still in the aftermath of the "coldboot" paper the Firewire attack vector gained some more attention.

The short story: Just like (cold) DRAM doesn't behave like most of us thought, neither is Firewire that similar in features to USB. Firewire allows much more than USB. E.g. Firewire connected peripheral devices can read and write RAM on the host directly (using DMA, so the CPU doesn't come into play at all). So a Firewire device connected to e.g. a screen-locked machine could gain access to the machine or it's secrets like encryption keys.

The attack vector is physical access to a bus on a computer just like your PCI bus. Introduce a malicious device into a system and the entire system is untrustworthy. This however can also be used in forensic cases, and as such there is possibility for good use too.

How to defend against this attack vector becomes very complex as those which physical access could simply add a Firewire adapter to a PCCARD bus and wait for the OS to install the drivers and activate the card.

Firewire is also known as IEEE-1394 or "iLink" (Sony).

Swa Frantzen -- Gorilla Security


760 Posts
Mar 11th 2008

Sign Up for Free or Log In to start participating in the conversation!