Friday

Unlock a Windows PC without the password through Firewire (UPDATED)



During the whole "disk encryption defeated by RAM attack", I mentioned firewire could be used for memory forensics since it provides DMA (direct memory access). Apparently, it can also be useful to unlock a windows PC without a password.

A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.
Adam Boileau first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix.

Interviewed in ITRadio's Risky Business podcast, Boileau said the tool, released to the public today, could "unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command".

Full article (Source: smh.com.au)

The code can be downloaded here.

UPDATE (06/03/2008): I didn't mention it clearly but even if you don't have a firewire port, having a PCMCIA slot is as dangerous. I even saw some remarks that external SATA ports, also provide DMA access. I feel more tools coming our way.

Using a laptop with built-in Firewire and booted with the Helix Linux LiveCD (designed for forensics and incident response) that includes Adam’s original Python Firewire tools (minus winlockpwn which I downloaded once booted), I tested my theory by plugging in a cheap StarTech PCMCIA Firewire card to the target laptop running Windows XP SP2 whose screen was locked. I gave the target a few seconds to load the drivers, and then connected my attack laptop’s Firewire port to the PCMCIA Firewire port. After running winlockpwn, I logged into the target laptop with a few random keystrokes (which were not the password). Voila! No need for the victim to have Firewire built in. (Source: Darkreading.com)

UPDATE (07/03/2008): It also works against Vista.

In this paper, we demonstrate that the firewire unlock attack (as implemented in Adam Boileau's winlockpwn) can be used against Windows Vista.

The paper is available at:

http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf

UPDATE (29/03/2008): I have written a tutorial.

No comments: