Firewire/IEEE 1394 Considered Harmful to Physical Security Advisory URL: http://pacsec.jp/advisories.html Summary: -------- IEEE1394 Specification allows client devices to directly access host memory, bypassing operating system limitations. A malicious client device can read and modify sensitive memory, causing privilege escalation, information leakage and system compromise. Any system with sensitive information or in an unsecured physical location, esp. public access systems, should re-evaluate their system security and consider additional physical security measures if they are equipped with "firewire" ports. These ports are sometimes also called "iLink" on some Sony models. Details: -------- In the presentation, "Owned by an iPod" which Maximilian Dornseif, from Laboratory for Dependable Distributed Systems at RWTH Aachen University, will be giving at the PacSec.jp/core04 conference in Tokyo on Nov 11/12, several new techniques involving the IEEE 1394 interface commonly found on laptops, desktops, and some servers will be demonstrated. These techniques could be used in both malicious and beneficial applications. The beneficial applications are in the areas of system forensics and external debugging. The malicious applications are that anyone with physical access to the firewire port could tamper with system operation and compromise security without measures such as power cycling or rebooting. Systems that counted on physical access limitation such as blocking access to reset and power switches and other measures to limit compromise though such procedures as rebooting, need to re-examine their security. As usual, physical access to a computer usually implies the ability for compromise - however, with this new technique, merely plugging in a malicious Firewire/1394 client device with special software could be enough to tamper with a target. It becomes easier to violate security if the combination of physical access and 1394 interfaces is available. Security policies and procedures should be re-evaluated and consider this new information where needed. Fix: ---- On some systems that require untrusted/unauthenticated physical access by strangers and still require restricted operations, removal of wire headers connecting external case firewire jacks may provide some limited remediation. On laptops epoxy may be used to permanently disable the external jack if such loss of functionality can be tolerated. The primary precaution is that employees should be warned that they should not plug unknown/untrusted firewire devices into computers containing sensitive information. As this capability is built into the specification and chipsets at the hardware level, software fixes are still under investigation and will be discussed at the presentation. Systems Affected: ----------------- - Any operating system and any processor platform with IEEE 1394 interfaces. In some cases even if the operating system in question does not support the interface, compromise may still be possible if the hardware is powered. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp