|
9
Nerd-Its
|
|
current event
by Since the early days of PCs, chips called DMA (Direct Memory Access) controllers were introduced to offload data intensive tasks from the processor. This technology is what made soundcards tolerable and hard-drives "faster" because the processor did not have to stop operations to devote cycles to these repetitive tasks. The elegance of a DMA attack is that a device with DMA hardware privileges can essentially read and write to any location in memory without processor intervention.
Without processor intervention - which means bypassing software security mechanisms - cracking into Windows computers just became a whole lot easier for hackers. If there is a IEEE1394 (commonly known as FireWire) port on the machine, gaining access is as simple as plugging in. The technique was first demonstrated (flash) three years ago against UNIX machines and was adapted in 2007 to work on Windows machines. FireWire's OHCI interface protocol includes the ability for hardware devices to access RAM via DMA. Originally, debuggers used the technique to step through code in a test machine's RAM. It did not take long for the unrestricted degree of access in the debugging tool to be transformed into a hacking vector to read/change passwords directly, copy swaths of data from RAM, alter the code for running applications or even extract secret encryption keys. It takes nothing more than a reprogrammed iPod, a FireWire cable and a few seconds to deftly compromise any machine left physically unattended.
Add a Comment (7)
Email This
Message Author
RSS
Maybe... by PowerPointSamurai :: NR7 :: on 14 March 2008
I'm a little skeptical of this because the iPod stopped using the FW interface years ago, with Generation 4 iPods, which were discontinued in Oct 2005. That's getting old enough to the point where anyone with an iPod that old must've cared for it pretty well, and then probably has invested in the battery replacement (which most don't). Then hard drive failures begin to be a factor, so I don't think that there are a whole lot of these in the wild anyway.
On the other hand, what you are talking about here has been a well known phenomenon in the Mac world for a long time--as long as there has been a FireWire. Macs can hook up to another Mac and boot one of the Mac's in "target disk" mode, which basically makes it an external hard drive to the "master" Mac. There are ways to secure your Mac so no-one does this against your will, however, so it's kind of odd nobody evidently built a protection against this into Windows...
RE: Maybe... by VnutZ :: NR8 :: on 14 March 2008
The iPod was just a simple example because they can run an operating system and drive (when present) their firewire port. The attack isn't dependent on the device appearing or acting like a hard drive. It directly communicates with the underlying hardware utilizing the DMA controller which is made available via the Firewire protocol. So the attack is after the contents of RAM rather than the contents of the host's drives.
RE: Maybe... by PowerPointSamurai :: NR7 :: on 15 March 2008
I really can't think of much else that would work though. I have a Firewire digital camcorder, a scanner, and some external hard drives, but I can only imagine the latter working for this hack.
And again, the target disk mode has been around on the Mac for a long time, so it kind of bewilders me that this would pop up as a vulnerability on the PC after all this time.
(With the target disk mode on the Mac, I can plug two Macs together by a Firewire cable, boot up the first, and hold down a key combo on the second to start it up as an external hard drive for the first. This is really handy for data recovery or diagnostics if something goes really wrong with your system. But, this has been around for a while, and there are safeguards against unauthorized access.)
RE: Maybe... by VnutZ :: NR8 :: on 15 March 2008
And again, the target disk mode has been around on the Mac for a long time, so it kind of bewilders me that this would pop up as a vulnerability on the PC after all this time.
Yes - but it has absolutely nothing to do with the target disk mode.
The iPod just presents itself as an easy device from which to start. But it's an attack vector that can be replicated using nothing more than a firewire cable, a PC board and an embedded microprocessor. There are any number of micro-PCs these days and laptops with firewire that would allow software to make use of in order to perform the hack. The iPod is just innocuous and fits in your pocket - walk up to a PC, plug it in, the Linux hack writes a virus/rootkit/etc onto the target, you unplug and walk away. Go home and hack it when they reconnect. THAT's the hack. It's not going up and using a disk like mode to read their data while they're not looking.
RE: Maybe... by PowerPointSamurai :: NR7 :: on 16 March 2008
I didn't mean to get us hung up on the iPod aspect of it. Got it. However, the target disk mode is entirely relevant because it's been a long known way of externally accessing Macs for quite a while, and to protect against unauthorized access, many of the protections are at the firmware level. It sounds from the article like this attack goes right into the system without any firmware protection at all, and in fact, sounds like it uses that firmware. I'm just agog that given the well known capabilities of target disk mode that such an exploit was left open.
RE: Maybe... by VnutZ :: NR8 :: on 17 March 2008
I think you're chasing the starting point of a circle. Target Disk mode works because of the DMA capabilities within the FireWire protocol. The DMA capabilities don't exist because of the Target Disk mode. This is why the vector is completely cross platform. Any machine that correctly supports the OHCI interface will allow an external device to initiate a DMA session with the host so that data may move between RAM and device without slowing the user experience, because the CPU is not involved. It just so happens that if you craft a malicious "device" - it will make requests for the DMA controller to read from RAM wherever you want it to without going through the operating system which means logical access controls the OS puts in place and memory protections the CPU puts in place are bypassed completely.
RE: Maybe... by PowerPointSamurai :: NR7 :: on 17 March 2008
My point about the target disk mode was not that it was the start--I know it's a higher level function dependent on the DMA, but unless I am mistaken here, the Mac's firmware (not the operating system) does have some control here, which is one way to block someone using Target Disk mode from accessing your system (which bypasses the OS as well. I don't think it bypasses the CPU though). It's the firmware I'm getting at here, and the lock downs to protect your machine that I'm getting at.