RSS 1.0 FeedCrack a Mac with Firewire
Last week I took my family and friends out to see the Engineering Open House (EOH) at the University of Illinois. The open house showcased the different aspects of engineering in a science fair format. The exhibits ranged from things interesting and cool for adults, to things fun and exciting for the kids. One exhibit, titled R.A.G.E. Beyond The Ether, located in the Computer Science section was the highlight of my day. Second place would have to go to a Distributed Music Library system which I might highlight in another article.
R.A.G.E. Beyond the Ether was, in my opinion, an overly pompous name. Cool for kids I guess. I believe the main point of the exhibit was to see how computer vulnerabilities were discovered, and what was at risk. Unfortunately I believe the college kids at this exhibit were misunderstood, as an older gentleman asking questions quickly labeled the students as Virus Writers. The students, and most certainly I, dismissed such an ignorant statement. The students, rather than writing and distributing virii primarily aimed at selling male enhancement pills, were actually working on a potentially important discovery in computer security.
The actual demonstration consisted of an attack between two Macintosh laptops. The attacking mac was connected via a Firewire cable to the victim mac. A walking by spectator would inquire on what the exhibit was about, interrupting the poor student's Magic: The Gathering game. The students would ask the spectator to enter in a password on the the attacking machine and hit enter. When the spectator hit enter, a python script was run. When the script finished, the spectator was directed to go to the victim machine and hit shutdown on the login panel. Instead of the machine shutting down, the login screen blinked. The spectator was then asked to log in as an adminstrator on the victim's machine using the password he entered in on the attacking machine. Low and Behold, it worked! The attacking machine was able to change the admin password on the victim by just hooking up to another computer via Firewire and running a script. If that doesn't scare you, you haven't heard the least of it yet.
After seeing this demonstration I grilled the students on the details of this attack. Given that there won't be a vulnerability report or any sort of release until more testing is done on the nature of this attack, I will only divulge on how the attack works. I will also discuss potential theories and hazards that this discovery could uncover.
Don't worry Mac Users, the vulnerability isn't necessarily a Mac problem. The issue is the implementation of Firewire. Firewire uses Direct Memory Access (DMA). The exploit took advantage of this feature and used DMA to directly write to the memory and change the behavior of the shutdown button on the login screen. Instead of shutting down, the code was replaced with a program that changed the root password on the mac.
The theory is we now have a potential security problem with any operating system and any technology that uses DMA and is capable of a remote connection to another computer or device. Firewire? USB 2.0? Some Gigabit Ethernet chipsets? BlueTooth? Are you scared yet?
Moral of this story? Think twice when somebody wants to connect their iPod to your computer. The iPod, or any computer device, could potentially be modified to run the same code that changed the computer's password.
Comments
This may be so, the demonstration could have been on older unpatched versions of Mac OSX. I've been keeping an eye out on more publication about the actual demonstration I saw, but have seen none so far.
yes USB 2.0 might very well have the same shortcoming if it has DMA. I am willing to bet that any connection that had DMA access could very well have the same issue. And who doesn't have an older Ipod? I have one that is half functional :).