Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: windows 7

Windows 7 Firewire Attacks

About a week ago a friend of mine (Benjamin Böck) in Vienna asked me to take a look at a paper that’s he and David Huemer just released, discussing Firewire attacks on Windows 7 systems (Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker). I was familiar with the research from Adam Boileau back in 2006, and I’d played about with the winlockpwn tool on a few systems in a lab. However I’ve not had a chance to play with it on anything more modern than Windows XP sp2/3, with mixed results.

Benjamin’s paper contains some interesting information on how Firewire based attacks can be effected by EFS and bitlocker, as well as suggestions on reducing the overall attack surface. Far too many companies consider full-disk encryption as a panacea for any threat involving physical access. With that point aside, I also find it surprising that even after more than 3 years, Microsoft haven’t moved to mitigate this attack vector, even in the newer releases of OS. Although not generally considered a bug (after all Firewire is designed to have full memory access), some protections could have been put in place to protect the end-user. Current systems remain vulnerable to this attack, even if people are choosing to ignore it.

Benjamin and  David have also released a tool (FirewireBlocker) alongside the research. FirewireBlocker, as it’s name suggests, is designed to disable and re-enabling Firewire and PCMCIA/CardBus controllers when the screen is locked. This protects against the widely known attack scenario of an unknown attacker inserting a Firewire cable (or a PCMCIA Firewire card) into a laptop and copying the contents of memory and/or bypassing the logon prompt while the user is away at lunch or off playing golf with the other executives. It doesn’t however disable the Firewire/PCMCIA totally, removing one of the obstacles that prevented protections against this attack from being implemented.

More information on the papers and the FirewireBlocker tool can be found at the links below. Many thanks to Benjamin Böck and David Huemer for the effort put into the research and creation of the tool.