Hack into a Windows PC; with Winlockpwn.

A security consultant, Adam Boileau, based in New Zealand has released a tool that can unlock Windows computers in seconds, via a Firewire port, without the need for a password.

With this tool, called Winlockpwn, one could "unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command".

The hack, which affects Windows XP computers but has not yet been tested with Windows Vista, was first demonstrated, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix. But now that a couple of years have passed and the issue has not resolved, Boileau, decided to release the tool on his website.

Link: theage

Report a problem with article
Previous Story

Computer viruses as they look in 3D

Next Story

Nvidia ForceWare 169.44 Beta

65 Comments

Commenting is disabled on this article.

is it possible to have the firewire done out-of-spec , and risk compatibility with things you try to plug in, but preventing the dma-based hacks?

Hack into a Windows PC with a hammer.

A worker from workshop based in New Zealand has shown a tool that can break Windows computers in seconds, via smashing them with a hammer, without the need for a password.

With this tool, called Hammer, one could "hack locked Windows machines or erase sensitive data without a password ... merely by hitting it with Hammer several times".

This hack, which affects Windows XP computers but has not yet been tested with Windows Vista, was first demonstrated, at a drunk party in 2006, but Microsoft has yet to develop a fix. But now that a couple of years have passed and the issue has not resolved, the worker, decided to show the tool on his website.

Holy crap, it worked! All my data was successfully destroyed using the hammer hack! When will Microsoft fix this horrendous vulnerability??? If they don't, I'm gonna switch to Lunix.

Does this hack give any specific user rights? Can someone bypass the security of a domain authenticated file server by using this hack to gain access to a domain computer?

As previously pointed out, in most cases someone can just use one of those Linux boot CDs or whatever that automatically mount NTFS partitions to gain access to the local file system. All the NTFS security, unless the files are encrypted, is completely managed from within Windows and does not actually physically exist on the files. However, a smart administrator would disable booting from a CD/usb memory stick from bios and password protect bios. Too bad there isn't that many smart administrators out there...

Absolutely nothing about this is a Windows flaw, as has been pointed out.

Under any OS that doesn't disable the port (And I do not believe any of them do) or unless you've got some funky non-standard Firewire controller stuff going on (Like in Apple's old G5s), the machine is completely compromised.

What makes this particularly scary is that it does not require a reboot.

I cannot see how this would give you access to encrypted data. All it does it bypass the logon process, they basically edit the memory containing the code that checks your credentials and makes it say "Yup, those are right!" for whatever you type.

It will NOT magically let them know your username and password, and will certainly not give them your encryption keys.

Also, they haven't said if they have compromised domain accounts. If they have, they would only be able to logon to the local PC and access unencrypted data that is ACL'd for that user. It won't let you magically access corporate resources on the network with that person's token, since they don't have it.

This gives them the SAME level of access as if they had removed the hard drive and put it in another PC. Nothing more. No encrypted file access, no corporate network access.

Unfortunately I'd have to disagree. When you bypass the "locked" screen, you keep the current user's credentials. If they had been previously accessing any network resources, or if they have files encrypted using the account that you logged into, they will definitely be given full access.

If you have just booted a computer, bypassing local passwords *should* not give you access to these things. On the other hand, you are now logged in as an authenticated user, so anything is possible. Argumentatively, though from boot if you're logging into a domain type computer it is almost sure that you will NOT have access because you will not have authenticated.

Moral of the story? When you lock your computer (that has firewire ports) you're not safe at all.

Didn't Apple create this (apparently flawed) Firewire spec?
So why is this article pinning the blame on Microsoft to fix their mistake?


Also, if Apple managed to create a flaw so vast in one protocol, surely it's feasible to think that they've done it in other places as well?

(Kushan said @ #24)
Didn't Apple create this (apparently flawed) Firewire spec?
So why is this article pinning the blame on Microsoft to fix their mistake?


Also, if Apple managed to create a flaw so vast in one protocol, surely it's feasible to think that they've done it in other places as well?

Yes Apple created the firewire spec... which is also called i.Link (Sony), IEEE1394(Standard Name) and Firewire(Apple)

(TRC said @ #23)
Isn't firewire pretty much dead anyway? Even Apple seems to be dropping it.

Firewire is majorly used in digital video production, I don't see it dieing anytime soon

Funny how the article states that the issue is due to a flaw in the FireWire spec itself, but they only approached Microsoft for comment - ignoring the fact that FireWare is an Apple designed (and IEEE approved) spec. Why weren't Apple or the IEEE approached and asked why the spec has not been updated? Why wasn't it mentioned that a similar attack is possible on any OS that fully adheres to the IEEE 1394 spec?

Obviously another of the many articles written with the intent of spreading an opinion (in this case, that Microsoft OSs are insecure), even if that meant skipping a few facts because they didn't help the author's case...

Hi,

This Firewire issue also affects Mac's and Linux based PC's. It's not a Windows problem.

It's a Firewire problem because it depends on the DMA access which all Firewire implimentations use to send and recieve data.

The only way to resolve this is to disable your fireware ports and don't allow strange folks to plug their devices into your firewire ports.

So unless the protocols for Firewire are changed then there is very little you can do to stop this other than prevent physical access to your systems.

Regards

Simon

When you have physical access to a machine the password is never really an issue.

All it takes is a USB drive or a Bootable CD and you have access. I can see why MS ignored this.

Edit: come to think of it, this is just another tool for techs to use when users lock themselves out of their own machines.

This is a problem with the Firewire spec, not with any OS. They are implementing the spec, fix the spec, fix the flaw.

Oh, come on, XP login is ridiculously easy to bypass. You dont need this firewire thing to do it.

Anyway, my firewire plug short-circuited, so I'm protected against this.

(RAID 0 said @ #14.1)

lmao, I used that in a college thing I did last month, my tutor found it funny too :P

Actually, I do have a tool that unlocks Windows PCs in seconds, but I'll restrain myself to mention this product.

We tried it and it retreives all hashed account passwords, thus making any Windows version up to Vista accesible. And yes, I've tried it already, and it works.

I wouldn't be suprised anyone could make such tool.

(GreyWolfSC said @ #9)
This can affect ANY computer with a 1394, not just Windows machines.

original source

(Author's page) Bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.
Same source you're using.

(Azmodan said @ #12)
Actually, I do have a tool that unlocks Windows PCs in seconds, but I'll restrain myself to mention this product.

We tried it and it retreives all hashed account passwords, thus making any Windows version up to Vista accesible. And yes, I've tried it already, and it works.

I wouldn't be suprised anyone could make such tool.

(Author's page) Bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.
Same source you're using.

Only looking for what you want to see? Same source, farther down the page:

However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.

Err, you can't retrieve a Windows password, just reset it or brute-force it. But brute forcing a good password will take an obscene amount of time, especially against Vista where there's no LM hash.

Of course, Bitlocker and domain-joined machines make doing any of those things impossible.

(GreyWolfSC said @ #12.1)
Only looking for what you want to see? Same source, farther down the page:

You're sure he's talking about the SAME tool?

However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.

Skip forward a few months, and it's now a big deal for reasons I'm not wholly sure about. I presented "Hit By A Bus: Physical Access Attacks With Firewire" at Ruxcon 2006, and hopefully if you came along, you were entertained.

At Ruxcon I released my firewire libraries (high level python bindings for libraw1394), the tool for fooling windows into giving you DMA (romtool), and a forensic memory imager (1394memimage). I demoed some of the malicious uses (like unlocking a locked Win XPSP2 workstation, and spawning an admin shell), but I'm not going to release that code (uh, unless you've got a compelling reason, I suppose). The talk and the tools are available just below.

The tool your talking about uses LM hashes, these are by default still enabled in winXP for improved backwards compatibility, but are easily disabled (reboot and change passwords for it to actually take effect tho ), and anyone not concerned about networking to machines using winME or younger should do so.

vista has LM hashes disabled, though if you really need to you can enable them.

apple's mistake, thank you apple ;)

i do like the 10 microsoft laws of security though:http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true (found at the source if you are wondering if this is offtopic :))

Right; actually we have Apple to thank for the flawed spec. Linux and Macs have been owned by this too (though obviously not this particular tool). Disable Firewire when not in use!

And if you're an IT guy who manages computers with Firewire ports, well, I feel for you. x)

(tunafish said @ #8)
This is more for corp enviroments this is going to play madness at schools etc

If I was still at my old school, I would use this with a rootkit to get the admin passwords and reformat the HDs with a linux distro, guess quite a load of other people would too

I've never seen an IEEE 1394 cable but my laptop has ports, might be interesting to try on my own machine and see if this is real, then disable the port!

I don't use firewire, so I always disable it in the BIOS along with any other features that I don't use. Not that it matters, though; nobody has the physical access to my systems necessary to use this hack.

This requires physical access to the computer. Once you have physical access to a computer, you can forget about security anyway.

There's a difference between ripping the guts apart of a PC to reset the BIOS password or remove the hard disk, and plugging in a firewire device.

(darkmark327 said @ #5.1)
There's a difference between ripping the guts apart of a PC to reset the BIOS password or remove the hard disk, and plugging in a firewire device.

Yes but it's still physical access.

There have been boot cds and floppies for ages which do this type of thing using linux/unix. (I keep one in my toolkit in fact for when people inherit PCs or whathaveyou) It's simply a matter of whether or not you have to bypass the BIOS password via backdoor mobo manufacturer passwords or simply removing the CMOS battery. Once the BIOS are opened the machine is all yours.

It's far from new and ksalter is absolutely correct as once someone has physical access to a machine it's all over.

Aahz, I'd have to disagree with the "It's far from new". As speculated in the above discussion, this type of attack would allow a few things:
1) Unnoticed access. You can leave the PC exactly as it was when you arrived. No passwords reset, no red flags.
2) Access to currently opened items, this is especially useful in a corporate setting where the user is "logged in" to some sort of networked application. You can access it with their privileges and then leave the computer as in #1.
3) Access network shares. This is a big one too, you can authenticate against the server just as you would if you were actually logged in as the user. On a domain, this breaks 99% of your security.

Enjoy.

With my machine, all you have to do is turn it on, and voilà, instant access.

Nonetheless, i have no firewire ports, nor am i blind, so a cable running from my comp to someone elses would be kinda noticeable to me.

(StevoFC said @ #4.1)
yeah, because people only lock their computer's while they are sitting at them. right? :rolleyes:
True...i'd just nick it then If they want to leave an expensive laptop lying around...

Probably not OSX or Linux. Not sure about Vista (I would think not, but don't know). But XP, it sounds like it.

EDIT: a few links down, it seems that other OSes too, possibly due to a problem in the general 1394 spec.

Here's a pdf document explaining the Firewire hack against OSX (gets interesting at page 19).

See here: http://md.hudora.de/presentations/firewire...-cansecwest.pdf

and a blog post about it here: http://blog.juhonkoti.net/2008/02/29/autom...al-via-firewire

(markjensen said @ #3.1)
Probably not OSX or Linux. Not sure about Vista (I would think not, but don't know). But XP, it sounds like it.

EDIT: a few links down, it seems that other OSes too, possibly due to a problem in the general 1394 spec.

Well if you use USB-> firewire it will generally come up as a "new device" in windows, which in this case would not be automatically installed because it requires an administrator login.

I guess if you had a stupid user and hid the USB-Firewire device before the boot. They might miss the installation of the new device and you could come back later with your 'tool'.

I hate to sound super-critical, but is there any chance that these things could be proofed for simple grammar mistakes prior to hitting the front page? I know this is 'unprofessional journalism', but that doesn't mean we can't show a basic command of English while we're at it.

Like I said, I dont wan't to sound like I'm beating the poster up. I probably should have posted the suggested changes, but others beat me to it. Better to submit news and learn from the mistakes then never try at all.