"You're FireWired!"

Vulnerability disclosure continues to be a difficult area for both black and white hat "security researchers". Occasionally, disclosure results in appreciation from the vendor and the subsequent timely release on an efficient patch. However, those in the hacker/security community know that this not exactly the norm. Sometimes, the vendor just turns a deaf ear to the researcher, claiming that they are mistaken or it's not their problem. Then, there is the worst case scenario, when a person's technological discovery of a weakness or flaw, leads to corporate embarrassment and insecurity, expressed by legal prosecution.

Over the years, several individuals found this out the hard way. In 2000, Princeton University computer science professor, Edward Felton, had figured out how to break the digital audio watermark technology developed by Verance Corporation. This watermark was used by the Secure Digital Music Initiative (SDMI) for audio content copyright protection. Before Prof. Felton and his colleagues were able to academically publish their findings, they were threatened with legal action by the SDMI and RIAA, due to violation of the DMCA.

In 2001, Russian cryptographer and researcher, Dmitry Sklyarov, gave a presentation at Def Con, which demonstrated vulnerabilities of Adobe's e-book format and PDF file format. By revealing weaknesses, that allowed cracking Adobe's encryption protection, he was arrested by the FBI for violation of DMCA.

One of the more famous disclosure incidents occurred at Black Hat 2005, when security researcher Michael Lynn released a potential vulnerability with the Cisco IOS. Similar to the other incidents, revealing a vulnerability to a large company resulted in a flurry of lawsuits, restraining orders and unemployment.

In such cases, the vendors usually prefer to keep this information hidden from the public, as opposed to publicly acknowledging, addressing and fixing. The former being cheaper, while the latter being ethically correct.

Currently, security researcher Adam Boileau, has just released the code behind his tool Winlockpwn. However, this is not a program or exploit recently developed. At Ruxcon 2006, Adam's presentation, "Hit by a Bus: Physical Access Attacks with FireWire", revealed this tool and how its use with a Linux box, provided the ability to compromise any PC that has a FireWire (IEEE 1394) port.

Responsibly, he did not release the code for this exploit, but did notify Microsoft of its presence. However, here we are two years later and Microsoft has yet to address this issue. Apparently, it's not a vulnerability, but the exploitation of a "feature" used by the IEEE 1394 protocol. Any hacker, worth his weight in RAM, knows that, if someone has physical access to your computer, it's 0wned. Although, when that same concept is conveyed by Microsoft, via its "10 Immutable Laws of Security" (Have you actually read that ridiculous stuff? When did they become the definitive authority on security? Does their code actually follow those laws?) ...it's just annoying.

So how does one actually FireWire a PC into submission?

Regardless of what you call it (FireWire, iLink, IEEE 1394,), it is a high performance, yet complex serial bus protocol. It can be, and is often "iconified" under Windows, as a network interface, which is consistent with its layered transport system. Although the diversity of different digital signal types it can multiplex, provides an excellent media for sending real-time, high quality audio and video data. Since it's an expansion bus (like PCI/AGP) and not a peripheral bus (USB), it has direct memory access (DMA). The reading of the PCs main memory (FireWire host) is achieved through the open host controller interface (OHCI) hardware mapping from the FireWire node.

With the power of direct read/write memory access, behind the backs of the OS or CPU, the (mis)user can perform many functions. Legitimately, it can be used in forensic memory imaging, debugging and password recovery. However, hackers can exploit this to carry out activities such as, bypassing authentication, undetectable malware injection, data theft or deletion, and creating system backdoors.

This exploit is not limited to Wintel machines. It had been successfully demonstrated on Linux and Mac OS X as well. Furthermore, in a paper recently released by, Vienna based, SEC Consult Vulnerability Lab, a proof of concept attack was described, yielding a successful result against Windows Vista.

From everything I have read, it appears that the only form of mitigation is to remove or deactivate any FireWire ports on your PC. While that may be true, if were to attempt to protect my PC against all attacks that could be executed with physical access to my machine....I would have nothing more than a bullet-proof touch screen kiosk built into my wall. Even then, someone would probably figure out a way to hack through.

Bring on USB 3.0! I can be FireWired at: