Firewire Security Exploit Can Compromise Thunderbolt Computers [+ OS X Fix]
Problem that affects computers without and with BitLocker, FileVault, TrueCrypt or Pointsec encryption, and the fix you can apply today for Apple computers running OS X.
The Problem: Firewire & Thunderbolt Exploit
Carsten from Break & Enter posted an exploit of IEEE 1394 SBP-2 DMA. It uses a platform independent FireWire hardware security hole to hack a computer with new DisplayPort / Thunderbolt interface. Exploit is applicable to Mac and PCs.
Inception can unlock Windows 7, Windows Vista and Windows XP as well as certain Mac OS X and Ubuntu versions using Direct Memory Access (DMA) properties of the FireWire Serial Bus Protocol-2 (SBP-2) over Thunderbolt. It can also dump physical memory contents of the victim machine over the FireWire interface, enabling reliable extraction of Mac OS X FileVault passwords and BitLocker, FileVault and Truecrypt encryption keys.
The exploit is not done through the operating system, but rather with the underlying hardware. However, with physical access to a machine, the attacker can launch the attack, which allows:
- Read arbitrary RAM contents from the victim’s system.
- Overwrite arbitrary RAM contents with whatever you want.
- Perform many, many severe attacks based on the two issues above. Examples include grabbing a full RAM dump via Firewire (takes only a few minutes), grabbing ssh-agent keys, grabbing screen contents, modifying screen contents, bypassing login/password screens, and many, many more.
In short, bad news if someone has physical access your device. Could PWNIE Award be on the way? (Probably a higher chance if Carsten sings). But this exploit is easily fixed on Apple computers.
The Fix for OS X
One of the many caveats listed by Break & Enter is:
“Macs with firmware (OF/EFI) password set is not vulnerable to this attack, as FireWire DMA is disabled when a OF/EFI password is set”
So the solution is to set an Open Firmware or EFI password on your Mac. To do that, you’ll need the OS X install disk if you have Snow Leopard, Leopard, or earlier. Those with Lion can boot into the recovery partition.
1. Shut down Mac
2. Hold the option key and press power button, continue holding option key
3. Lion users choose “Recovery HD” and boot from it. Other users insert your OS X install disk and select the DVD when it becomes available.
4. Choose Firmware Password Utility from the Utilities menu (you might have to click -> on first screen)
5. Turn it on and type in your desired firmware password
- Apple Improves Firmware Security for MacBook Pro + MacBook Air
- Cydia “PDF Loading Warner” Helps Prevent iOS Security Hole Exploit
- Apple Introduces Sandy Bridge MacBook Air, Mac Mini, & Cinema Display with Thunderbolt
- Cydia’s Saurik Fixes PDF Exploit on Jailbreaked & Older iOS Devices
- Gatekeeper: Mountain Lion Security Keymaster with 3 Modes