After reading about a firewire memory attack against windows (also effects other operating systems). I figured it wouldn’t take long before someone demonstrated the use of that against full disk encryption. After all, why bother booting to USB, or freezing the RAM if you can just hook up a firewire connection and access the memory.
Today, I saw a Dark Reading article where a group/vendor has penetrated a Pointsec encrypted computer through the use of the firewire technique.
This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
It is important to note that pre-boot authentication was not enabled on this computer. If it had been the attack would not have succeeded. I can’t imagine deploying FDE without pre-boot authentication. This article could have described an attack against any FDE vendor not using pre-boot authentication.
I’ve disabled the firewire port on my laptop. I haven’t looked at what it would take to disable the firewire port in an enterprise. Perhaps its time for more spelunking in devcon. Or may google will have an easy answer. I wonder how many “port control” products include firewire.