Posted on 07/27/2011 10:03:15 AM PDT by ImJustAnotherOkie
A company that makes password recovery tools has released one that can snatch passwords from a locked or sleeping Macintosh running Mac OS X Lion by plugging another computer into the Mac's FireWire port. The attack technique is several years old and the only way to defend against it is to turn the Mac off.
(Excerpt) Read more at pcworld.com ...
that doesnt sound like much of a risk. plugging another computer into my computer. i mean, really, i would see that.
Let me know how you could plug something into my FireWire port over the interwebs and I’ll start worrying.
PC users have always been a joke as far as security goes.......
If you’ve lost physical control of the machine, it’s already game over. The method of attack is largely irrelevant.
That said, this sounds like something that should be patched — no need to make it any easier than it has to be. Still, anyone with access to the machine and a boot disk will be able to do just about anything they want to.
one word: rachel madow. now you can worry.
>>>>Mac security is a now officially a joke.
Parity with Windows....
FUD !
recoveror guess your password.
And why don't they just disable the Firewire port if the user is not logged in or if a password-protected screen saver is running?
Can’t wait to SHARE this with the arrogant Mac fanatics in my office.
Well, you've got me laughing. I'll give you that much. :D
FireWire is a memory-to-memory or DMA bus. That is, a connected device can access the memory from any computers to which it is connected.
This is fundamental to how FireWire (IEEE1394) works, so it is requires some kind of restriction on the areas of memory that it is allowed to access (different from that of the CPU itself). It also means that if you plug a FireWire card into a Windows computer, it is just as vulnerable.
In fact, it shares this vulnerability with the laptop card interfaces ExpressCard and PCCard, commonly used on Windows laptops.
If it were the same as the CPU, controlling access would be easy, the Memory Management Unit (MMU) which is part of the CPU could handle it.
Since it is not, either the MMU has to be augmented to have a set of tables to determine what external devices are allowed to have access to particular memory (just like it does for different users) or a separate MMU for IO devices needs to be added to the system.
Either approach is expensive (and not really subject to a quick software fix). If it were only FireWire, which is still restricted largely to Apple devices, neither approach would be feasible.
Fortunately, Intel’s new pretty, LightPeak (ThunderBolt in Apple parlance), has the same interface-advantage/security-issue since it is also a external memory-to-memory or DMA bus.
Since Intel is also making the CPUs and their MMUs, and the board interface chips with ThunderBolt, you won’t be surprised to learn that the most recent Nehalem CPUs (Core i5 and i7) are the first recent consumer CPUs to contain an IOMMU as described above (with memory control for IO devices including FireWire and ThunderBolt).
Thus, for computers with FireWire and those CPUs or later ones, there is now a workable fix for the problem.
When that fix will see the light of day is another matter, but with ThunderBolt allowing the transfer of all the memory in a 16GB machine in less that 20 seconds (more than 10 times faster than FireWire 800), I think we will see it sooner rather than later.
“Another precautionary measure is to try and ensure no one gets access to your computer.”
OMG!!!! OMG!!! OMG!!! I simply MUST burn this thing and get me one of those secure and dependable PC’s. I must not wait! I must get me a PC before the sky falls any farther or I will surely die! OMG!! Will they rape me too?!
If someone can get past my firewall, my fence, my guard geese, my ducks, chickens, my German Shepherd dog that believes everything on the property is his and that I am actually God, my house alarm, and my 30 years of defense - personal protection training and experience, HECK, they can have anything around here that they may desire.
Thank you so much. I remember those sweet old days when I had a PC. When it was down and down and down again, the dead time gave me a much needed and stress free rest.
As we all know, stress kills, so having a PC can actually help you live longer . Wow, those PC folks sure go out of their way to help us out.
Fortunately the Mac pro boots up quickly.
What bothers me most is encrypting the hard drive won’t help either(obviously).
Since the technology you mentioned isn’t in place it’s not limited to Lion.
Probably Bush’s fault.
Gee if somebody gets a hold of your computer, they could break into it...shocking!!! /s
“Can’t wait to SHARE this with the arrogant Mac fanatics in my office.”
Will you also SHARE this with the “arrogant” PC fanatics in your office..... or are you the only “arrogant” PC user in your office?
Next thing you know, they'll be telling you that letting people know your password will allow them to bypass system security, too!
OMG... I can’t believe they didn’t put that warning on the box!!
found some interesting followup.
Mitigation: Mac OS X
On Mac OS you might also be able to completely remove Firewire support from the kernel (but I don’t know if/how that can be done, not sure if you can easily recompile Mac OS kernels, and/or if you even have buildable source code and toolchains for that). However, you can at least remove the Firewire support in the default Mac OS installation by unloading AppleFWOHCI.kext:
$ sudo kextunload /System/Library/Extensions/IOFireWireFamily.kext/Contents/PlugIns/AppleFWOHCI.kext
Thanks to a Daniel Reutter for letting me abuse his MacBook via Firewire and for finding the above kextunload command line. We have successfully tested that after unloading AppleFWOHCI.kext the current tools won’t work anymore.
The tests were done on a Mac OS X 10.5 (Leopard) with all recent security updates applied. Please leave a comment if you can test other versions of Mac OS X...
Mitigation: Windows
As for Windows, well, I guess you’re screwed. While Windows XP does implement sort of “protection” in that it only allows physical DMA access via Firewire to devices which “deserve it”, e.g. iPods (or any other Firewire mass storage device, I guess) this can be easily defeated by having your attack PC/laptop pretend to be an iPod (see the romtool Python script by Adam Boileau).
The only remaining option I know of (short of removing/destroying Firewire ports or preventing physical access alltogether) is to disable the Firewire ports/drivers in the device manager (untested by me so far). If you do that, remember to also disable all PCMCIA/Cardbus/ExpressCard controllers, of course (see above).
So far I’ve tested Windows XP SP2 successfully with Adam Boileau’s winlockpwn. Windows XP SP3 doesn’t seem to work, though (winlockpwn likely needs tweaking). I haven’t yet been able to test Windows 95/98/Vista, if you can verify one of them, please leave a comment.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.