Firewire hack

May 15th, 2008

USB ports are something most of us use everyday and they are now near mandatory interfaces on computers. They are commonplace on servers where just a few years ago they weren’t even an option. Many computers now have FireWire ports. Sony calls this interface iLink and the official name is 1394. Firewire is not used nearly as much as USB, even though it is better architecturally and even the slowest 1394 ports can push sustained data faster then the latest USB standards. This port is used mainly for working with digital video cameras and some use this port instead of USB for external drives because it is a bit faster.

There is a new exploit that can take advantage of FireWire ports. Actually, it isn’t that new. Discoverers of the vulnerability notified Microsoft years ago but the world’s largest software maker didn’t consider it that much of a risk. Unfortunately, a hacker has made this a much greater risk by publishing the tools to take advantage of this weakness. An attacker can connect his/her computer to your computer with a 1394 cable and pull your password out of memory…. at in only takes a few seconds. Having a password protected screensaver does not help.

The method used can, actually will, be modified to extract more then just a user’s password. New programs will try to gather disk encryption keys (if any) and even try to get data out of RAM such as information in an open spreadsheet. In short, until OS makers come out with a patch, the current defense is to disable the FireWire port when not in use, or to log off all accounts when the computer is not in use. If a computer is suspended (sleep mode), even hibernating, then it could still be attacked just by waking it up. As much as I prefer using external FW drives, it is wiser to use USB attached drives instead. If you would like steps on how to disable FW ports in Device Manager, post a comment or send an e-mail to ccalvert (at) umw (dot) edu.