Featured Image for How to hack a Macbook via FireWire

How to hack a Macbook via FireWire

There’s nothing quite like a weekend at a hacking convention to make you realise just how easy it is for technology companies to fall behind the ball.

Yesterday, at the 2014 DEF CON hackers conference in Las Vegas, security researchers Joe Fitzpatrick and Miles Crabil demonstrated how they could directly access the memory of Apple Macbook devices using a piece of hardware they built to plug into the computer’s FireWire slot.

SLOTSCREAMER is a device that access the computer’s PCIe (peripheral component interconnect express) slot, giving hackers direct access to a computer’s memory via FireWire.

In essence, this means there’s no software needed to help circumvent a Macbook’s security compliance requirements – access to Apple’s FireWire port (even by Thunderbolt adapters) and time to use the computer is all a malicious exploiter needs to cause users some serious problems.

“All by design, with no zero-day needed”, the device gives users the ability to “tinker with DMA attacks, read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system”, reads the SLOTSCREAMER website.

The researchers will also be releasing scripts and drivers that give black and white hats alike the power to access – and, in the instance of a black hat, mess with – users’ information.

A high-level security analyst who wished to remain anonymous told Techly the demonstration proved how easy the process was.

“You don’t have to crack the case open on the computer to get access directly to memory,” he said.

“A simple FireWire device is all that’s needed to unlock a computer’s screen with a password. At that point, you are authenticated with the privileges of that user, and can do anything that user has privileges to do.

“If your physical security sucks, then you’re easily owned. That’s always been the case, but this takes it to a new level.”

Perhaps most concerning, the device highlights “an architecture problem that can’t really be fixed with software” the analyst said.

In addition, Break & Enter have shown off Inception, an attack via FireWire which allows administrative privileges for a user.

Here’s the explanation from the site:

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

There are ways to prevent the attack, however, the issue is a FireWire design problem. Mitigation for Windows includes removing FireWire drivers, OS X turns off DMA when locked, and Linux needs to disable DMA or remove 1394 drives.

Techly has reached out to Apple for comment.

Here’s the demo video for those who are interested:

» Read all of Techly’s exclusive DEF CON 22 hacks series:
Anti-virus companies potentially leaking customer data ‘for years’
Smart-health wearables leaving users vulnerable to ‘significant’ data leaks

Update: The original Techly article published this hack as via USB. This hack is actually triggered via FireWire, which can also be via Thunderbolt-to-FireWire adapter. We understand direct memory access (DMA) via Firewire is disabled when the screen is locked with OS X Lion and later.

As always, if somebody has physical access to your powered-on system, they’ll likely be able to obtain access to the operating system – this FireWire hack makes it even easier.

About the author

Claire Porter is an award-winning journalist. Previously the tech editor of news.com.au, Claire has had her work published in some of Australia’s biggest websites and newspapers.

Videos from E MINOR TV

Leave a comment

Comment (5)


    Wednesday 13 August 2014

    Aside from being soft on detail, this article completely misses the point that the only involvement USB has is to store the data a custom piece of hardware collects from the PCIe bus. It could be any storage or transmission medium. The SLOTSCREAMER site itself identifies step 1 as “Insert Attack Device into a PCIe slot on target system”, of which “Attack Device” is not a USB device but a PCIe device. In the case of a Macbook that would take the form of a custom Thunderbolt dongle. This is the same vulnerability as firewire – real, but not new.


      Tristan Rayner

      Wednesday 13 August 2014

      Hi RB – we’ve significantly updated the article to reflect some new information and another device that attacks via FireWIre. Thanks!



        Thursday 14 August 2014

        Oh, hey – wow, commenting works! I like the updates, much much better.


          Tristan Rayner

          Thursday 14 August 2014

          Hehe… and thanks very much for keeping us on our toes!



    Wednesday 13 August 2014

    Yeah, they’re doing PCIe over a usb cable, which seemed to work just fine for the speakers. They demo’d it at DEFCON. Essentially you can extend the PCIe slot out of the computer by breaking out a USB cable and doing a little soldering. Think big GPU on a little computer. The FireWire hack is pretty cool as well. Was a great talk. First time speakers and they were awesome. Hope they do more next year. Maybe they’ll find some new hardware vulnerability.