If You Can Touch it, You Can Hack it

By Kevin W

According to this headline, there is a “new” attack that will allow one to “Hack into a Windows PC—no password needed”. Basically, some guy created a tool that takes advantage of auto-execute features in Windows and the innate memory usage of Firewire.  Plug the attack device into the target PC via Firewire, the exploit executes, and Windows is cracked. My first thought was, “Why would you let some random person plug something into your PC?”  My second thought was, “I doubt many standard office PCs even have Firewire ports.”

The main reason this exploit doesn’t excite me is that it only strengthens one of the basic tenants of information security: physical access trumps logical access (see this blog post for another physical security exploit).  This is the reason that physical security and physical access control are major domains of information security.  All the fancy authentication methods in the world won’t help if someone can kidnap your PC! Physical access gives an attacker the ability to install a hardware keyboard logger, boot into a CD-based OS like Knoppix and access your entire file system, or if all else fails, just crack your case and steal your hard drive.

People have been exploiting auto-execute features for a long time. A quick Google search found such an attack from 2000.  The web is littered with tales of penetration testers leaving rogue USB drives lying around waiting for unsuspecting employees to plug them in.   Or you could always try a social engineering approach: “Hey, wanna hear my band’s demo CD?  Just pop this into your CD-ROM drive and answer ‘Yes’ to any prompts.”

The bottom line is you shouldn’t insert foreign devices into your PC, or any other system, for that matter. Just say no!

–Kevin W, CISSP

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *