from Hacker News

Inception - Root any machine over FireWire, Thunderbolt, others

by rdn on 1/26/14, 12:06 AM with 62 comments

  • by seldo on 1/26/14, 3:51 AM

    It seems like the root problem here, as in lots of security problems, is an assumption made early on is no longer valid (e.g. "this application only runs on our LAN, so no need to protect against malicious actors"). In this case, PCI was originally an internal technology -- adding a new PCI device involved opening the case and plugging in a new card. Pluggable PCIe devices changed that assumption, so things that were previously pretty safe (trusting a new piece of hardware physically installed into the box) became unsafe (trusting a random device plugged into the box).

  • by teddyh on 1/26/14, 2:09 AM

    This part was especially interesting:

    Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.

    A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.

  • by comex on 1/26/14, 7:18 AM

    Note that on newer processors, VT-d is supposed to entirely prevent this attack on CPUs that support it (damn Intel), and OSes do use it [1]. I'm curious whether anyone has tried to search for bugs in those implementations.

    [1] https://developer.apple.com/library/mac/documentation/Hardwa...

  • by captainmuon on 1/26/14, 10:06 AM

    Wait, firewire devices are allowed to write to any address in memory they like to? How ridiculous is that? Why is there no memory protection?

    I wonder how to block this... It seems like it can only write to the lower 4 GB... RAM is cheap... so add an addtional 4 GB and then modify the kernel to load everything critical above the boundary?

  • by userbinator on 1/26/14, 2:45 AM

    Nothing exciting here... if you have physical access, it's game over.

  • by Sanddancer on 1/26/14, 7:03 AM

    While this attack is a bit old, the proofs of concept remain, except you can do more fun things with certain hardware released in the interim. For example, Apple's firewire display uses a broadcom networking chip that is susceptable to people writing malicious firmware for -- http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-H... . Fitting a malicious payload into the given space may be a bit tough, but I imagine the intrepid hacker can do it with style and flare.

  • by runn1ng on 1/26/14, 5:49 AM

    (2011) should be added to the title; see the date of the comments below the article.

  • by drakaal on 1/26/14, 4:53 PM

    Couple of caveats. Many Laptops have Firewire ports that are attached via USB for cost reasons. These 1394 ports will do DV, and attached storage but are not DMA.

    Thunderbolt on Windows 8 has an option for Allow DMA by Default, or not. This option is so that you can do a bit more prioritizing of your bandwidth.

    Windows 8 also has a setting for "install new hardware automatically" which if you disable you can only install hardware if you are logged in and click the install button.

    Windows 8 will also not allow you to install a new device if you are not logged in as Admin, or you have the Annoying UAC enabled.

    So while Mac and some Linux systems will have this vulnerability because you don't have to be an admin to have new hardware enabled if the drivers are on the system, Windows should be safe unless you changed your rights.

    On a corporate network with machines where the users run in least user privilege, Windows 8, and Windows 7 users are safe.

  • by kalleboo on 1/26/14, 8:19 AM

    > Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though

    So, not really a problem then?

  • by vezzy-fnord on 1/26/14, 1:48 AM

    This is relatively old. I first recall seeing it a few years ago.

  • by ballard on 1/26/14, 8:17 AM

    0. Is there a way to disable FireWire and Thunderbolt ports on OSX?

    1. Is there yet any I/O firewall like Little Snitch or Hands Off! are for files and network?

    2. Linux and Windows also desperately need I/O firewalls.

  • by alanh on 1/26/14, 10:13 PM

    OS X: Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though

    Phew.

  • by almosnow on 1/26/14, 1:50 AM

    Awesome work, loved thr name