popping the box via firewire

It has been known for a while that a Firewire port can own memory, but it is getting new traction now with the “cold boot”/”memory remanence” attack on laptop FDE. Adam “Metlstorm” Boileau has released his python script that can unlock a Windows box through the Firewire port. Keep in mind this accesses memory (RAM!) to do its dirty work. I’ve seen announcements to this here and here and many more places.

I can’t confirm this, but I think this attack requires connecting a Linux box to a Windows PC via Firewire (you can just do this directly), running a tool (tar.gz) to gain DMA access (Direct Memory Access), and running the python script on the Linux box. The script can cause all passwords to succeed on a locked system, can just unlock a system, or pop up a shell at the winlogon prompt (basically get into the system without logging in). I’ve not tried this, but I think this is as simple as it gets.

The mitigation to date is to turn off your firewire ports when they are not in use or not allow anyone else physical access to them.

Boileau has released it on his own site (scroll to the bottom) and there is also a mirror up. His presentation (pdf) is still available on the topic as well.

More information about dumping memory via firewire (pdf). Some likely outdated info on connecting 2 PCs (Windows) together using only Firewire.

I would expect the gentlemen at Hak5.org to demonstrate this on a future episode. 🙂 Hell, if someone is looking to get some hits, whip up a video of this in action, demonstrating in a how-to format.