Firewire: The Skeleton Key for Windows

Posted on by Nick Staples

It’s common knowledge among computer security professionals that physical access to hardware can result in some security measures being bypassed (a simple local login password is typically no match for a boot disk with the tools to delete or modify the password file itself). However, most of these efforts require time and sometimes even access to the the inner hardware of the computer.

It could be argued that computers are a bit more vulnerable when they are powered on and ready to use— important or sensitive data could be sitting in memory literally waiting to be read. Consider the case of an employee logging off (without shutting down) and stepping out for lunch or going home at the end of a workday. If an attacker could manage to access the memory of the running computer without first having to authenticate themselves, what damage could be done?

More importantly, is this even possible?

According to Adam Boileau, it is.

Interviewed in ITRadio’s Risky Business podcast, Boileau said the tool, released to the public today, could “unlock locked Windows machines or login without a password … merely by plugging in your Firewire cable and running a command”.

The machine is then tricked into allowing the attacking computer to have read and write access to its memory. With full access to the memory, the tool can then modify Windows’ password protection code, which is stored there, and render it ineffective.

The real danger in a tool like this is the speed at which it gives an attacker control of the system and the ability to easily access the memory of a running PC. They don’t have to worry about boot disks and finding the physical location of the password file… instead, they just plug and chug.

Although the ability of the Windows Firewire controller to give devices unchecked access to the all of a system’s memory is considered a feature, it is one with a dangerous potential for abuse.