How to hack a Macbook via FireWire
There’s nothing quite like a weekend at a hacking convention to make you realise just how easy it is for technology companies to fall behind the ball.
Yesterday, at the 2014 DEF CON hackers conference in Las Vegas, security researchers Joe Fitzpatrick and Miles Crabil demonstrated how they could directly access the memory of Apple Macbook devices using a piece of hardware they built to plug into the computer’s FireWire slot.
SLOTSCREAMER is a device that access the computer’s PCIe (peripheral component interconnect express) slot, giving hackers direct access to a computer’s memory via FireWire.
In essence, this means there’s no software needed to help circumvent a Macbook’s security compliance requirements – access to Apple’s FireWire port (even by Thunderbolt adapters) and time to use the computer is all a malicious exploiter needs to cause users some serious problems.
“All by design, with no zero-day needed”, the device gives users the ability to “tinker with DMA attacks, read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system”, reads the SLOTSCREAMER website.
The researchers will also be releasing scripts and drivers that give black and white hats alike the power to access – and, in the instance of a black hat, mess with – users’ information.
A high-level security analyst who wished to remain anonymous told Techly the demonstration proved how easy the process was.
“You don’t have to crack the case open on the computer to get access directly to memory,” he said.
“A simple FireWire device is all that’s needed to unlock a computer’s screen with a password. At that point, you are authenticated with the privileges of that user, and can do anything that user has privileges to do.
“If your physical security sucks, then you’re easily owned. That’s always been the case, but this takes it to a new level.”
Perhaps most concerning, the device highlights “an architecture problem that can’t really be fixed with software” the analyst said.
In addition, Break & Enter have shown off Inception, an attack via FireWire which allows administrative privileges for a user.
Here’s the explanation from the site:
Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
There are ways to prevent the attack, however, the issue is a FireWire design problem. Mitigation for Windows includes removing FireWire drivers, OS X turns off DMA when locked, and Linux needs to disable DMA or remove 1394 drives.
Techly has reached out to Apple for comment.
Here’s the demo video for those who are interested:
» Read all of Techly’s exclusive DEF CON 22 hacks series:
- Anti-virus companies potentially leaking customer data ‘for years’
- Smart-health wearables leaving users vulnerable to ‘significant’ data leaks
Update: The original Techly article published this hack as via USB. This hack is actually triggered via FireWire, which can also be via Thunderbolt-to-FireWire adapter. We understand direct memory access (DMA) via Firewire is disabled when the screen is locked with OS X Lion and later.
As always, if somebody has physical access to your powered-on system, they’ll likely be able to obtain access to the operating system – this FireWire hack makes it even easier.