Firewire security threat

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
If you haven't heard about it already, there's a threat vector for PCs that have Firewire ports. Basically a device can be connected to a PC and use Firewire's access mechanism to bypass Windows authentication services. As this access is part of the FW spec, I doubt a true fix will be forthcoming.

I suggest disabling Firewire in Device Manager and if possible in the machine's BIOS if you don't use it. Of course the BIOS disable is semi-useless unless you also password-protect your BIOS (side topic - consider enabling your machine's TPM).

Likewise, for laptops, disable the expansion slots - PCMCIA, PCCard, ExpressCard - if not in use. While not a perfect fix it does reduces the threat surface area by making it harder to use a FW expansion card.

I know this isn't possible or practical in all cases but some of you may be like me. I don't use FW for anything and everything I need on my laptop comes either built-in or is added via USB & not expansion cards.

USB appears to not be part of the surface area for the threat as there aren't any FW - USB bridge devices. I could be wrong on that but it is what I've read so far. Some are speculating that USB allows the same unfettered system access but I'm not convinced that's true.


There has also been recent mention of an attack whereby someone with physical access can use liquid nitrogen or other supercooling treatments to sustain RAM contents & allow RAM - including encryption keys - to be read. This would let an attacker read even encrypted disks once they had the key. To be susceptible a machine must have powered RAM (includes most hibernation modes) or be 'frozen' within a few minutes of powering off.

The main suggestion to circumvent is to not let the machine get away from your physical control (duh!). Also, don't use hibernation. Personally, I've never found the whole hibernation/resume function to be more stable or faster than simply power cycling. And I would only power down to move from home to office & back; the network & hardware environments are different enough that a reboot is a good idea.


Have a nice day. :scratch:
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,744
Location
Horsens, Denmark
Once you've lost physical control of the box then it's all over.

That is what I keep telling my clients. Any suggestions for physically securing a server in an environment too small for a server room? There are 4 servers in the supply room, and I'm investigating chain-link fence...
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
That is what I keep telling my clients. Any suggestions for physically securing a server in an environment too small for a server room? There are 4 servers in the supply room, and I'm investigating chain-link fence...

We have our servers behind chainlink fence in a cube farm.
Some office/industrial supply companies sell fencing for offices.

Bozo :joker:
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
The interesting thing about the FW exploit is that a drive by is sufficient. Walk up to an unattended but "protected"-by-passworded-screen-saver box, plug in the FW device, give it a moment to auto-deploy your malware, unplug it, walk away. The malware would have unfettered access & could upload data to an FTP or other server not only right away but, say, send changed files every week.

As to physical locking, I don't know. Laptops & some monitors have the Kensington security slot. I haven't noticed this on any servers although I haven't checked. Other thought: use oneway screws when mounting servers in a rack.

But my best advice would be use full disk encryption so if the machines - or just the drives - are ripped off you don't have to worry about data leakage.
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
Our servers are in a locked cage. The cage is in a data center. The data center has a locked door. The locked door has another locked door which required password + biometrics. Outside of that is the armed guard. He/she has to hit the button to get you into their area. To get to that point you have to go through 3 other locked doors. The building is unnamed and has blast-resistant doors.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,744
Location
Horsens, Denmark
I think a cage is the best thing. I already have full drive encryption on all workstations and servers (using the latest TrueCrypt). The password policy is sane but capable, and every employee goes though a decent screening policy and security talk by me before they are given a username and password. None of the workstations have Firewire ports, but the servers do. Physically preventing access to them sounds like the last reasonable measure to take.
 

Will Rickards

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,012
Location
Here
Website
willrickards.net
This is not a real threat.
Like pradeep says, physical access to a machine means it can be rooted.

But if you aren't using firewire then by all means disable it.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
I need my Cardbus slot and Firewire ports also. :) If someone breaks in and attacks me, they can have my computers, ports and all. ;) I don't care about the work notebook. It is not my problem and truly sucks in any case.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,744
Location
Horsens, Denmark
This is not a real threat.
Like pradeep says, physical access to a machine means it can be rooted.


But this "drive by" isn't the same level of physical access as previously required. I no longer have to steal the machine, or even have 5 minutes at the keyboard. Their sys admin or security could be in the room and not see me plug and unplug a device.
 
Top