No smoke without Firewire

Filed Under: Data loss, Privacy, Vulnerability, Windows

In a recent programme on, host Patrick Gray interviewed Kiwi security researcher Adam Boileau about his software called Winlockpwn. This software allows you to unlock Windows computers using what Gray describes succinctly as "Firewire trickery". Boileau was pretty careful in the interview to explain that this is can be considered an expected side-effect of having a live Firewire port on an unattended computer, Windows or not. Nevertheless, the story has grown in some quarters to suggest that this is an unpatched, unsolved vulnerability which needs immediate and special attention.

So let's revisit the story quickly.

Q. A guy in New Zealand can break into my Windows computer!

A. Not quite. A guy in New Zealand has published some code which, amongst other things, shows how to use a Firewire link on a live Windows system to turn off password checking at the screen which says This computer is in use and has been locked. He does this by using the Firewire connection to alter memory on the target computer. He can't break into your computer remotely from New Zealand -- he needs physical access to your PC whilst it is turned on.

Q. This is terrible! When will Microsoft produce a patch?

A. This isn't really a vulnerability or a bug. For better or for worse, it's a feature of the Firewire interface. Firewire supports what is called DMA (Direct Memory Access). This allows the Firewire hardware controller on your motherboard to read and write system memory directly, for flexibility and performance. It makes the Firewire interface great for high-bandwidth data capture, such as digital video, and it is also handy for remote system debugging and system forensics.

Q. What? You're suggesting this DMA business is a good thing?

A. When programmers talk about "breaking into" a running process, they are not proposing a crime. Relying on the operating system and the main processor is unreliable when you are debugging  system software, especially if the system software itself has gone haywire. In this context, breaking in means regaining control.

Likewise, letting a hardware device such as a video camera upload data directly into PC memory, without waiting for assistance from the operating system, means that you don't need to worry about lost frames or patchy sound.

Q. Are you saying that Microsoft can't do anything about this?

A. Microsoft has had a solution for years: if you have a Firewire port, disable the Firewire driver when you aren't using it. That way, if someone does plug into your port unexpectedly, they can't use it to interact with your PC, legimitately or otherwise.

And look after your PC when it's unattended. A software lock on the keyboard and mouse provides some additional safety against fiddling, but it's not a proper security solution.

Q. What? I have to turn off my PC and secure it when I'm not using it? I can't leave it lying around ready for later?

A. Why would you give physical access to your PC to people you don't trust?

I know people who'd think three times about asking a passing stranger to take their photo in front of the Sydney Opera House in case the stranger did a runner with the camera, but who are much more casual with their laptop PC, as long as it's software-locked. Yet their computer hardware alone is worth five times as much as the camera, and the data on the PC is worth at least ten times as much again.

If you aren't using Firewire -- and on a business PC there is often no need for it unless you are in the process of importing video -- then don't enable the Firewire driver, and you won't be providing a port through which an outsider can get access to system memory.

Don't turn on system features you don't need.

, , ,

You might like

One Response to No smoke without Firewire

  1. Derek Bruce · 1459 days ago

    FireWire is the brand name for Apple's high-speed serial bus interface that uses IEEE 1394 protocol. It includes such features as hot swapping and plug and play.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog