DHReutter

Modern computers often profit from Direct Memory Access (DMA). Today even FireWire uses it for faster transmission to external devices (read: hard disks). The only problem is: this could be a security flaw.

How so, I hear you ask. Easy - just imagine the external device would be malicious. It could read all your memory and even let your machine crash by accessing non-accessible physical addresses. This security flaw is quite a long time, for example, Maximillian Dornseif and Michael Becher held a presentation called Hacking with Fire^[PDF] at the 21c3. I vaguely remember the talk, but it wasn't my pet topic then, so I didn't pay too much attention.

It isn't my pet topic now either, but the tools evolved.

Metlstorm made a talk at Ruxcon 2006 called Hit By A Bus: Physical Access Attacks with Firewire^[PDF] and also started a FireWire DMA attack project page.

Finally, my dear friend Uwe decided to use his newly acquired dangerous Halbwissen^[1] to read all of my RAM simply by attaching his Linux laptop to my MacBook via FireWire and running some scripts.

He did so with my permission and I watched closely so I could be sure he deleted all files afterwards. Nevertheless, a short grep revealed my user password not only plain text, but also with the word password before it! So, clearly, this is a severe security issue. What to do?

The easiest way would be to turn off FireWire. This can happen physically or by software. You could, for example, put a small dose of sealed glue into your port to create some kind of honeypot: An attacker would plug in his cable and not be able to remove it anymore. Advantage: A new FireWire cable for you. Disadvantages: It isn't ensured that the attack wouldn't work anyway. And, more importantly, the appliance of sheer force could damage your motherboard permanently. This brings us to the software solution. Of course, this would have the further advantage of allowing you to access the FireWire port whenever you want - you could decide to use it one day, couldn't you? In Linux, you can add the FireWire support as module and load and unload it as you want. Or you can switch of DMA support for your module completely.

Well, a short listing of the active kernel extensions via kextstat revealed that there are two FireWire related extensions active. And after some further research, I made out the evildoer. The rest was a piece of cake

sudo kextunload /System/Library/Extensions/IOFireWireFamily.kext/Contents/PlugIns/AppleFWOHCI.kext

unloads the kernel extension and

sudo kextload /System/Library/Extensions/IOFireWireFamily.kext/Contents/PlugIns/AppleFWOHCI.kext

reloads it. The things left to do are now the following:

• Write a program to automate these commands, especially execute the unload during startup
• Find out if there are possibilities to load the kernel extension without DMA access

Both of these things I can do hopefully after my diploma thesis and final exams, which are impending. It really would be nice to have something to show at the 25C3.

Anyways, have fun with your devices!

[1] I always wanted to introduce a new word to the English language, so be it: Halbwissen is superficial knowledge, with the connotation that it seems to suffice at first glance. So, for example, Halbwissen is everything you probably know about cryptography, unless you are Bruce Schneier.

Update 2008-08-16: Uwe wrote his own article about the FireWire DMA Attacks. He is going a bit more into detail about the tools and about other platforms. So check it out. There also is a comment about setting an OpenFirmware password to disable FireWire on Mac OS X. This just begs for verification.