[NEWS] Firewire/IEEE 1394 Considered Harmful to Physical Security

From: SecuriTeam (support_at_securiteam.com)
Date: 11/01/04

  • Next message: SecuriTeam: "[UNIX] kpdf Integer Overflows"
    To: list@securiteam.com
    Date: 1 Nov 2004 19:08:33 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Firewire/IEEE 1394 Considered Harmful to Physical Security
    ------------------------------------------------------------------------

    SUMMARY

    IEEE1394 Specification allows client devices to directly access host
    memory, bypassing operating system limitations. A malicious client device
    can read and modify sensitive memory, causing privilege escalation,
    information leakage and system compromise. Any system with sensitive
    information or in an unsecured physical location, esp. public access
    systems, should re-evaluate their system security and consider additional
    physical security measures if they are equipped with "firewire" ports.
    These ports are sometimes also called "iLink" on some Sony models.

    DETAILS

    In the presentation, "Owned by an iPod" which Maximilian Dornseif, from
    Laboratory for Dependable Distributed Systems at RWTH Aachen University,
    will be giving at the PacSec.jp/core04 conference in Tokyo on Nov 11/12,
    several new techniques involving the IEEE 1394 interface commonly found on
    laptops, desktops, and some servers will be demonstrated.

    These techniques could be used in both malicious and beneficial
    applications. The beneficial applications are in the areas of system
    forensics and external debugging. The malicious applications are that
    anyone with physical access to the firewire port could tamper with system
    operation and compromise security without measures such as power cycling
    or rebooting.

    Systems that counted on physical access limitation such as blocking access
    to reset and power switches and other measures to limit compromise though
    such procedures as rebooting, need to re-examine their security.

    As usual, physical access to a computer usually implies the ability for
    compromise - however, with this new technique, merely plugging in a
    malicious Firewire/1394 client device with special software could be
    enough to tamper with a target. It becomes easier to violate security if
    the combination of physical access and 1394 interfaces is available.

    Security policies and procedures should be re-evaluated and consider this
    new information where needed.

    Fix:
    On some systems that require untrusted/unauthenticated physical access by
    strangers and still require restricted operations, removal of wire headers
    connecting external case firewire jacks may provide some limited
    remediation.

    On laptops epoxy may be used to permanently disable the external jack if
    such loss of functionality can be tolerated.

    The primary precaution is that employees should be warned that they should
    not plug unknown/untrusted firewire devices into computers containing
    sensitive information.

    As this capability is built into the specification and chipsets at the
    hardware level, software fixes are still under investigation and
    will be discussed at the presentation.

    Systems Affected:
    Any operating system and any processor platform with IEEE 1394 interfaces.
    In some cases even if the operating system in question does not support
    the interface, compromise may still be possible if the hardware is
    powered.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dr@kyx.net> Dragos Ruiu.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] kpdf Integer Overflows"

    Relevant Pages

    • RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass
      ... policy of not fixing a security vulnerability in millions of phones. ... Subject: SYMSA-2007-002: Palm OS Treo Find Feature System Password ... This vulnerability also assumes the attacker has physical access to the ...
      (Bugtraq)
    • Re: xp security vulnerabilities?
      ... >> addition to NIS and I came up undetected at every security test site I ... The only problems relate to access from the internet. ... I don't think it's possible to ever be completely safe from ... > people who have physical access to the machine then you get into another ...
      (microsoft.public.windowsxp.security_admin)
    • Re: password protect encrypted directory
      ... I think once someone has physical access, most security ... I use OpenSSL to encrypt files, ... If a user has physical access, and you cannot assume that the ... >pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: administrator password
      ... There is no security without physical security. ... The only people that should have physical access to any computer, ... I changed the Admin password and could logon. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Avoid Administrator password hacking ????
      ... > port that is required for the functionality. ... > configuration for one of those and our baseline was a system with 0 ports ... > Svyatoslav Pidgorny, MS MVP - Security, MCSE ... >> Physical access to a box means that you can easily reset the password ...
      (microsoft.public.security)