Firewire/IEEE 1394 Considered Harmful to Physical Security

Advisory URL: http://pacsec.jp/advisories.html

Summary:
--------

IEEE1394 Specification allows client devices to directly access host
memory, bypassing operating system limitations. A malicious client device
can read and modify sensitive memory, causing privilege escalation,
information leakage and system compromise. Any system with sensitive
information or in an unsecured physical location, esp. public access
systems, should re-evaluate their system security and consider additional
physical security measures if they are equipped with "firewire" ports. 
These ports are sometimes also called "iLink" on some Sony models.

Details:
--------

In the presentation, "Owned by an iPod" which Maximilian Dornseif, from
Laboratory for Dependable Distributed Systems at RWTH Aachen University,
will be giving at the PacSec.jp/core04 conference in Tokyo on Nov 11/12,
several new techniques involving the IEEE 1394 interface commonly 
found on laptops, desktops, and some servers will be demonstrated.

These techniques could be used in both malicious and beneficial applications.
The beneficial applications are in the areas of system forensics and 
external debugging. The malicious applications are that anyone with 
physical access to the firewire port could tamper with system operation 
and compromise security without measures such as power cycling or rebooting.

Systems that counted on physical access limitation such as blocking access
to reset and power switches and other measures to limit compromise though 
such procedures as rebooting, need to re-examine their security.

As usual, physical access to a computer usually implies the ability
for compromise - however, with this new technique, merely plugging 
in a malicious Firewire/1394 client device with special software 
could be enough to tamper with a target. It becomes easier to
violate security if the combination of physical access and 1394
interfaces is available.

Security policies and procedures should be re-evaluated 
and consider this new information where needed.
 
Fix:
----

On some systems that require untrusted/unauthenticated physical
access by strangers and still require restricted operations, removal
of wire headers connecting external case firewire jacks may provide
some limited remediation.

On laptops epoxy may be used to permanently disable the external jack
if such loss of functionality can be tolerated.

The primary precaution is that employees should be warned that they
should not plug unknown/untrusted firewire devices into computers 
containing sensitive information.

As this capability is built into the specification and chipsets at
the hardware level, software fixes are still under investigation and 
will be discussed at the presentation.
 

Systems Affected:
-----------------

- Any operating system and any processor platform with IEEE 1394 interfaces.
  In some cases even if the operating system in question does not support
  the interface, compromise may still be possible if the hardware is powered.

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan  Nov 11-12 2004  http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp