By Kevin W
According to this headline, there is a “new” attack that will allow one to “Hack into a Windows PC—no password needed”. Basically, some guy created a tool that takes advantage of auto-execute features in Windows and the innate memory usage of Firewire. Plug the attack device into the target PC via Firewire, the exploit executes, and Windows is cracked. My first thought was, “Why would you let some random person plug something into your PC?” My second thought was, “I doubt many standard office PCs even have Firewire ports.”
The main reason this exploit doesn’t excite me is that it only strengthens one of the basic tenants of information security: physical access trumps logical access (see this blog post for another physical security exploit). This is the reason that physical security and physical access control are major domains of information security. All the fancy authentication methods in the world won’t help if someone can kidnap your PC! Physical access gives an attacker the ability to install a hardware keyboard logger, boot into a CD-based OS like Knoppix and access your entire file system, or if all else fails, just crack your case and steal your hard drive.
People have been exploiting auto-execute features for a long time. A quick Google search found such an attack from 2000. The web is littered with tales of penetration testers leaving rogue USB drives lying around waiting for unsuspecting employees to plug them in. Or you could always try a social engineering approach: “Hey, wanna hear my band’s demo CD? Just pop this into your CD-ROM drive and answer ‘Yes’ to any prompts.”
The bottom line is you shouldn’t insert foreign devices into your PC, or any other system, for that matter. Just say no!
–Kevin W, CISSP