Exploiting a little known feature built into Firewire port specifications,
Adam Boileau released the source code to a utility authored in 2006 that allows anyone to bypass the Windows
Authentication dialog box on any PC with a Firewire port.
The tool is a simple, 200-line script written in the Python
programming language exploits features built into Firewire that allow
direct access to a computer’s memory. By targeting specific places that Windows
consistently stores its vital authentication functions, Boileau’s tool is able
to overwrite Windows’ secured code with patches that skip Windows’ password
Boileau says he decided to release the script now, two years
after it was initially unveiled, because Microsoft had not acted to patch the
vulnerability. Boileau considers his tool a “party-trick demo script thats been
lying around my [home folder] for two years gathering dust,” and considers it “a
pity to write code and have no one use it.”
“Besides,” says Boileau, “according to Microsoft's
definition, it never was a Security Vulnerability anyway – screensavers and
login prompts are … about the Feeling of Security.”
Boileau also notes that he’s seen others successfully modify
the script to hack Windows Vista’s password-check code, as well as use a laptop’s
PCMCIA port to plug in a Firewire card and attack the laptop after Windows
auto-installed the card’s drivers.
It’s important to note that Firewire’s provisions for direct
memory access, called DMA, are useful in other contexts, like in the use of
software debuggers. Nowadays, a sizable percentage of the world’s software checks
for the presence of programs monitoring memory directly – which is what a
debugger does – and will frequently act differently or refuse to start up if it
detects their presence.
Firewire ports are therefore usable as high-speed
debugging devices, allowing developers and hackers alike to passively monitor anywhere
in a computer’s memory and make changes where needed, whether its reprogramming
a password check or seeding buggy software with correct data. It might also
allow forensic investigators to grab an encrypted hard drive’s decryption key
directly from memory, while the computer is running.
Also important is that the same technique has been known to
work on other operating systems, including Mac OS X and Linux – and in fact
some people have used modified iPods to run Firewire DMA attacks on the fly.
Common security thought dictates that a computer is essentially lost if it is in your opponent’s possession, and that security on a physical machine will be subverted with time: for computers equipped with
Firewire, the thought couldn’t be more true.
quote: as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.
quote: I do not know for sure, but this would probably require quite a bit of reworking and extra logic for both the North Bridge and Memory Controller on an x86 PC to make this fix work.
quote: Intel would like to see Firewire dead