pacsec.jp advisory: Firewire/IEEE 1394 Considered Harmful to Physical Security
From: Dragos Ruiu (dr_at_KYX.NET)
Date: 10/18/04
- Previous message: Jakob Balle: "Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Oct 2004 01:59:59 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Firewire/IEEE 1394 Considered Harmful to Physical Security
Advisory URL: http://pacsec.jp/advisories.html
Summary:
--------
IEEE1394 Specification allows client devices to directly access host
memory, bypassing operating system limitations. A malicious client device
can read and modify sensitive memory, causing privilege escalation,
information leakage and system compromise. Any system with sensitive
information or in an unsecured physical location, esp. public access
systems, should re-evaluate their system security and consider additional
physical security measures if they are equipped with "firewire" ports.
These ports are sometimes also called "iLink" on some Sony models.
Details:
--------
In the presentation, "Owned by an iPod" which Maximilian Dornseif, from
Laboratory for Dependable Distributed Systems at RWTH Aachen University,
will be giving at the PacSec.jp/core04 conference in Tokyo on Nov 11/12,
several new techniques involving the IEEE 1394 interface commonly
found on laptops, desktops, and some servers will be demonstrated.
These techniques could be used in both malicious and beneficial applications.
The beneficial applications are in the areas of system forensics and
external debugging. The malicious applications are that anyone with
physical access to the firewire port could tamper with system operation
and compromise security without measures such as power cycling or rebooting.
Systems that counted on physical access limitation such as blocking access
to reset and power switches and other measures to limit compromise though
such procedures as rebooting, need to re-examine their security.
As usual, physical access to a computer usually implies the ability
for compromise - however, with this new technique, merely plugging
in a malicious Firewire/1394 client device with special software
could be enough to tamper with a target. It becomes easier to
violate security if the combination of physical access and 1394
interfaces is available.
Security policies and procedures should be re-evaluated
and consider this new information where needed.
Fix:
---- On some systems that require untrusted/unauthenticated physical access by strangers and still require restricted operations, removal of wire headers connecting external case firewire jacks may provide some limited remediation. On laptops epoxy may be used to permanently disable the external jack if such loss of functionality can be tolerated. The primary precaution is that employees should be warned that they should not plug unknown/untrusted firewire devices into computers containing sensitive information. As this capability is built into the specification and chipsets at the hardware level, software fixes are still under investigation and will be discussed at the presentation. Systems Affected: ----------------- - Any operating system and any processor platform with IEEE 1394 interfaces. In some cases even if the operating system in question does not support the interface, compromise may still be possible if the hardware is powered. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp -- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Previous message: Jakob Balle: "Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
