[NEWS] Firewire/IEEE 1394 Considered Harmful to Physical Security
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 1 Nov 2004 19:08:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Firewire/IEEE 1394 Considered Harmful to Physical Security
IEEE1394 Specification allows client devices to directly access host
memory, bypassing operating system limitations. A malicious client device
can read and modify sensitive memory, causing privilege escalation,
information leakage and system compromise. Any system with sensitive
information or in an unsecured physical location, esp. public access
systems, should re-evaluate their system security and consider additional
physical security measures if they are equipped with "firewire" ports.
These ports are sometimes also called "iLink" on some Sony models.
In the presentation, "Owned by an iPod" which Maximilian Dornseif, from
Laboratory for Dependable Distributed Systems at RWTH Aachen University,
will be giving at the PacSec.jp/core04 conference in Tokyo on Nov 11/12,
several new techniques involving the IEEE 1394 interface commonly found on
laptops, desktops, and some servers will be demonstrated.
These techniques could be used in both malicious and beneficial
applications. The beneficial applications are in the areas of system
forensics and external debugging. The malicious applications are that
anyone with physical access to the firewire port could tamper with system
operation and compromise security without measures such as power cycling
Systems that counted on physical access limitation such as blocking access
to reset and power switches and other measures to limit compromise though
such procedures as rebooting, need to re-examine their security.
As usual, physical access to a computer usually implies the ability for
compromise - however, with this new technique, merely plugging in a
malicious Firewire/1394 client device with special software could be
enough to tamper with a target. It becomes easier to violate security if
the combination of physical access and 1394 interfaces is available.
Security policies and procedures should be re-evaluated and consider this
new information where needed.
On some systems that require untrusted/unauthenticated physical access by
strangers and still require restricted operations, removal of wire headers
connecting external case firewire jacks may provide some limited
On laptops epoxy may be used to permanently disable the external jack if
such loss of functionality can be tolerated.
The primary precaution is that employees should be warned that they should
not plug unknown/untrusted firewire devices into computers containing
As this capability is built into the specification and chipsets at the
hardware level, software fixes are still under investigation and
will be discussed at the presentation.
Any operating system and any processor platform with IEEE 1394 interfaces.
In some cases even if the operating system in question does not support
the interface, compromise may still be possible if the hardware is
The information has been provided by <mailto:email@example.com> Dragos Ruiu.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.