Comments on: Physical Attacks via FireWire

By: Chris Adams

Chris Adams — Fri, 14 Mar 2008 15:24:10 +0000

nate - thanks for the link to Rentzsch’s article. I was looking for that yesterday.

Rosyna - has anyone looked into whether the current hardware offers support for restricted DMA? I last ran into this with cluster interconnects which were completely insecure at first but later acquired hardware support – probably motivated more by system stability than security.

By: Jens Alfke

Jens Alfke — Fri, 14 Mar 2008 15:23:09 +0000

To answer my own question: Here's Apple's support article.

By: Jens Alfke

Jens Alfke — Fri, 14 Mar 2008 15:20:47 +0000

OK, next step is to figure out how to enable the ~~OpenFirmware~~ EFI password. But I’m sure I can google for that…

By: Rosyna

Rosyna — Fri, 14 Mar 2008 09:09:35 +0000

Yeah, just enable the OpenFirmware password to disable FireWire DMA. It’s been like this for, like, forever. (Yes, I call it the Open Firmware password, even when you enable it on the ICBMs). But note, doing so may lead to a substantial speed decrease with high-bandwidth FireWire devices. IIRC, there was a bug in the very first releases of 10.4.4-10.4.something that made the password not disable DMA on the ICBMs. But this was fixed.

By: Jens Alfke

Jens Alfke — Fri, 14 Mar 2008 04:32:51 +0000

Michael — First, I’ve turned on password locking. Second, rebooting and messing with single-user mode takes longer, and is more obvious during and afterwards.

By: n[ate]vw

n[ate]vw — Fri, 14 Mar 2008 04:31:11 +0000

I tried so hard, but left out a piece of Rentzsch’s last name, sorry. I even had the URL right there!!

By: n[ate]vw

n[ate]vw — Fri, 14 Mar 2008 04:29:27 +0000

Rentzsh actually seems to have the definitive article on this (and it appears to have been up since November, 2004): http://rentzsch.com/macosx/securingFirewire

The way I understand it is that OS X will indeed disable Firewire DMA, all the way back to 10.2.2, but only if a firmware password is set.

By: Michael Brundage

Michael Brundage — Fri, 14 Mar 2008 03:02:23 +0000

Jens, hacking a Mac that you have physical access to is far easier.

First of all, the Mac OS defaults are no password locking on sleep or boot, so you probably already have full access to the user’s data.

Ignoring that, just reboot the machine and hold down cmd-S. You now have a root shell. It’s trivial from there to do anything you want, such as just deleting the tmp file that tells Mac OS X the machine has been configured and then rebooting, which will prompt you to create an admin (sudoers) account.