I’m concerned about DMA exploits on my laptops. HP PC’s now have firewire, but this is an issue for any DMA expansion slot. How are OS’s faring with this? How about opensuse? Wisdom? Experience? Recommendations? Some of my laptops have GuardianEdge - but this is also vulnerable.
I’m tempted to squirt epoxy into my firewire ports. I never use them anyway.
THANK YOU!!!
Patricia
On 11/02/2012 12:56 PM, PattiMichelle wrote:
>
> I’m concerned about DMA exploits on my laptops. HP PC’s now have
> firewire, but this is an issue for any DMA expansion slot. How are OS’s
> faring with this? How about opensuse? Wisdom? Experience?
> Recommendations? Some of my laptops have GuardianEdge - but this is
> also vulnerable.
>
> I’m tempted to squirt epoxy into my firewire ports. I never use them
> anyway.
OK, I’ll bite! How does such an exploit work? Do you also worry about eSATA ports?
I don’t know if eSATA has DMA access that’s hackable from the outside - but I think it might as the Wiki article mentions this as a normal bus capability.
I’m not an expert by any means, but:
Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker
DMA attack - Wikipedia, the free encyclopedia
On Fri 02 Nov 2012 11:36:01 PM CDT, PattiMichelle wrote:
‘Inception | Break & Enter’
(http://www.breaknenter.org/projects/inception/)
Hi
So it’s exploited by having physical access to the machine, what
machine isn’t vulnerable with having physical access.
Have you tried the tool? Disable firewire?
–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 5 days 0:45, 5 users, load average: 0.12, 0.09, 0.11
CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU
On 2012-11-03 00:58, malcolmlewis wrote:
> Hi
> So it’s exploited by having physical access to the machine, what
> machine isn’t vulnerable with having physical access.
Yes, but connecting, say, an external device to the usb bus, the
firewire bus, or esata, can be considered normal action in any office
where users use machines.
In an office you protect booting in the bios with a password, perhaps
seal the box so that it is not opened. Sometimes you remove external
buses, but sometimes they are needed.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))
Hi
Did you read the article?
The exploit is done from one system to another over firewire to make the system think it’s a device;
Inception’s main mode works as follows: By presenting a [Serial Bus Protocol 2 (SBP-2)](http://en.wikipedia.org/wiki/Serial_Bus_Protocol_2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port.
On 2012-11-03 02:56, malcolmlewis wrote:
> Hi
> Did you read the article?
No, I can’t: my internet at the moment is capped to 500 MB/month. My
browsing is very limited 
> The exploit is done from one system to another over firewire to make
> the system think it’s a device;
(I thought something special had to be connected)
Ok, but I said still holds: in an office, you have to allow somethings
to the users, like plugging devices to the external buses. Someone may
abuse by connecting a machine instead…
Years ago, before Internet IIRC, I learned of a chap that went to phone
boxes with a small computer (could be a Spectrum :-? ) connected via a
ribbon cable to a pay card look alike which he inserted in the pay slot
of the phone box, in order to fool the thing and have free phone
calls… it was an abuse, of course.
There was a continuous war between the phone company and “clever” chaps.
You can only be safe by watching physically every machine you expose to
the public…
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))
On Sat 03 Nov 2012 02:57:08 AM CDT, Carlos E. R. wrote:
On 2012-11-03 02:56, malcolmlewis wrote:
> Hi
> Did you read the article?
No, I can’t: my internet at the moment is capped to 500 MB/month. My
browsing is very limited
> The exploit is done from one system to another over firewire to make
> the system think it’s a device;
(I thought something special had to be connected)
Ok, but I said still holds: in an office, you have to allow somethings
to the users, like plugging devices to the external buses. Someone may
abuse by connecting a machine instead…
Years ago, before Internet IIRC, I learned of a chap that went to phone
boxes with a small computer (could be a Spectrum :-? ) connected via a
ribbon cable to a pay card look alike which he inserted in the pay slot
of the phone box, in order to fool the thing and have free phone
calls… it was an abuse, of course.
There was a continuous war between the phone company and “clever” chaps.
You can only be safe by watching physically every machine you expose to
the public…
Ahh data caps 
I think there is one here, but never get close to it
(50GB from memory).
Sure, but again physical access and anything is possible…
–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 5 days 4:11, 6 users, load average: 0.22, 0.28, 0.25
CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU
@PattiMichelle:
Since you are concerned, have you looked into your BIOS. I looked into
one machines BIOS and it has a setting to disable firwire, that is I
think the easiest solution for you.
–
PC: oS 12.2 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.5 | GeForce GT 420
ThinkPad E320: oS 12.2 x86_64 | i3@2.30GHz | 8GB | KDE 4.9.2 | HD 3000
eCAFE 800: oS 11.4 i586 | AMD Geode LX 800@500MHz | 512MB | lamp server
On 2012-11-03 04:25, malcolmlewis wrote:
> Ahh data caps I think there is one here, but never get close to it
> (50GB from memory).
Indeed. It is what I have when not at home. Have to use friends home
network for downloads and updates, if any.
> Sure, but again physical access and anything is possible…
Oh, absolutely…
You can impose physical restrictions on the server room, but not on the
common office room, say… so it is a problem.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))
On 2012-11-03 13:26, Martin Helm wrote:
> @PattiMichelle:
> Since you are concerned, have you looked into your BIOS. I looked into
> one machines BIOS and it has a setting to disable firwire, that is I
> think the easiest solution for you.
Or unplug the cable inside.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))
On Sat 03 Nov 2012 01:19:00 PM CDT, Carlos E. R. wrote:
On 2012-11-03 13:26, Martin Helm wrote:
> @PattiMichelle:
> Since you are concerned, have you looked into your BIOS. I looked into
> one machines BIOS and it has a setting to disable firwire, that is I
> think the easiest solution for you.
Or unplug the cable inside.
The other option if present is TPM, I have it on this notebook;
–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 5 days 16:20, 5 users, load average: 0.16, 0.10, 0.12
CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU
Thanks for the reply.
Yes, as in lost or stolen laptop. I have not tried the tool, but it
is basically just a demonstration-of-technology tool. There are prolly
many other variants not publically discussed that may be much
more powerful.
Apparently all such attacks need the machine lost/stolen while
logged in. Not sure. Looking for experts.
It is based on DMA - so other DMA interfaces, like PCMCIA are
also vulnerable. I guess, fill 'em with epoxy if you really care about
anyone having access. The current generation does not care as
much as mine - mostly because of facebook, I guess, but there
are legal implications, I’m sure.
patricia
If your laptop is stolen you do no longer need to be concerned about
potential dma vulnerabilities, there are much better ways to crack your
system.
–
PC: oS 12.2 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.5 | GeForce GT 420
ThinkPad E320: oS 12.2 x86_64 | i3@2.30GHz | 8GB | KDE 4.9.2 | HD 3000
eCAFE 800: oS 11.4 i586 | AMD Geode LX 800@500MHz | 512MB | lamp server