Attack of the iPods!

A lot has been written about the threat of iPods, digital cameras and USB memory sticks to information security programs. Because all of these are basically high-capacity storage devices, they make it easy for thieves (whether insider or outsider) to slip into your organization, quickly download a bunch of confidential docs, and then slip out—and all the while, you thought that they were just enjoying some groovy tunes. Thieves can hide corporate secrets on the SD card of a digital camera, and if they want to be really sneaky, they can even delete the files so that the information won’t show up during a casual inspection. Then, when they get home, they can use an “undelete” program to recover the secrets.

But there is another important threat that portable storage poses to today’s information systems. Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB’s internal storage, and hide them as “deleted” files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that’s likely to be with us for many years to come.

It’s a Bug, Not a Feature

AutoRun is the feature built into Windows that automatically runs a program specified by the file “autorun.inf” whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. The feature exists so that software makers can have pretty splash screens appear on the computer when the installation CD-ROM is placed into the drive. Unfortunately, there are few, if any, restrictions placed on what AutoRun programs can do—as far as Windows is concerned, it’s just another program that the user is running. So if a bad guy puts a nasty program onto a USB stick and can then convince one of your hapless users to plug that stick into their Windows-based computer, that bad guy has found a great attack vector for compromising your machines.

AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what’s on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the “Shift” key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for “disable autorun”) or you can download and use Microsoft’s TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting “Take no action” for each kind of disk that’s listed. Unfortunately, disabling AutoPlay for CDs won’t always disable AutoPlay for USB devices, so the registry hack is the safest course of action.

AutoRun isn’t just a problem for Windows. Back in the 1990s the Macintosh had a similar feature called Autostart that automatically ran QuickTime 2.0 files; Apple removed the feature from the operating system after the so-called Hong Kong virus (formally known as Autostart-9805) spread to thousands of computers in 1998. Likewise, the Palm operating system has a similar feature that automatically gives every program on an SD card the chance to run when that card is plugged into the expansion slot of a computer running PalmOS.

The AutoRun threat is very real and has been exploited on a massive scale. The Rootkit/spyware combination that Sony Music distributed last year on millions of compact discs was installed as part of an AutoRun script. Spyware was installed on Windows-based PCs all over the world. It turns out that the music CDs also included spyware for Macs, but on MacOS the spyware needed to be manually installed, and few Apple users bothered.

Worse than Autorun: Direct Memory Access

But as bad as AutoRun is, there’s a vulnerability built into practically every desktop computer and server that’s currently in use—and this is a vulnerability that affects PCs running Windows, Macs and quite possibly machines running Linux or even Solaris. The vulnerability is based on the direct memory access facilities built into the FireWire and USB standards.

Bypassing the Safeguards

There are basically two ways to move information between a computer system and the rest of the world. The first is called Programmed I/O (PIO), when the computer’s central processing unit carefully copies each byte of memory between the world and the computer. PIO is easy to implement—the early PCs used PIO exclusively—but it’s slow.

DMA, on the other hand, uses bulk data transfers to move blocks of information between the world and the PC’s memory. When early PCs moved from PIO to DMA, the maximum data transfer speed rose from 8MBps to 33MBps; today’s systems support transfer speeds of 133MBps or more. With DMA-based systems the CPU sets up the transfer and then goes off to work on other things. The disk or other DMA-aware device initiates the transfer all by itself when it is ready, and a message gets sent to the CPU when the transfer is finished. Because FireWire and USB were designed with the intention of connecting high-speed disk drives, both specifications have provisions for DMA. This means that, under many circumstances, a device that’s plugged into a FireWire or USB interface has the ability to read and write to individual physical memory locations inside a the host computer. Such access necessarily bypasses the host operating system and any security checks that it might wish to implement.

Recently a number of computer security researchers realized the tremendous potential of using DMA over FireWire or USB as an attack vector. At the CanSec West ’05 conference, Michael Becher, Maximillian Dornseif and Christian N. Klein demonstrated an exploit that used DMA read arbitrary memory locations of a FireWire-enabled system. The exploit was based on an iPod running Linux. For example, they could plug their customized iPod into a victim computer and grab a copy of that computer’s screen—not just without the computer’s permission, but even without its knowledge!

In theory, this iPod DMA technique could be used to send an attack to the victim that would disable certain security checks in the victim’s Windows operating system. Or the attacker could simply modify the running system so that instead of running user code, it instead scans the system’s hard drives for confidential documents and copies them to the iPod.

The exploit that the German trio demonstrated at CanSec ’05 was based on FireWire, and it’s not immediately clear that the attack would work on USB-based systems. While USB-based systems do have DMA, it’s not clear if the particular kind of DMA-based attack developed for FireWire-based systems will work on PCs that have only external USB ports.

On the other hand, there’s been ample evidence that USB-only PCs running Windows are susceptible to yet another kind of attack: a buffer-overflow attack that’s made possible because of poorly written USB drivers. Ever plugged a USB device into a Windows box and gotten an error that some program had experienced a “fatal exception”? Those errors were caused by a coding error inside the USB device driver. Such coding errors can be exploited by USB devices as yet another way of taking over computers running the Windows operating system.

Untrustworthy Computing

The fundamental problem behind all of the attacks discussed here is that developers at Microsoft, Apple and other organizations have assumed for years that hardware is a trusted resource. Designers just haven’t considered that an iPod or USB memory stick plugged into a desktop computer is going to turn around and start attacking the machine—and, as a result, today’s computers are not defended against these kinds of attacks. This attitude is surprising given the experience the computer industry had with floppy-based viruses back in the 1990s, but that problem was largely solved through the use of antivirus software, rather than by fundamentally changing our operating systems or design principles.

On the other hand, we probably won’t see a new generation of USB and FireWire-based attacks coming out. That’s because most hardware plugged into a USB or FireWire port is, in fact, benign. In a high-security environment it makes sense to plug a computer’s USB and FireWire ports, but for most applications the usefulness of these technologies is probably worth the risk. Nevertheless, it’s a shame that today’s FireWire and USB-based systems weren’t designed with security in mind. It wouldn’t have been hard to build security in from the beginning—for example, by allowing DMA only to specific memory addresses that had been previously designated by the host operating system. Sadly, that’s a decision that would have had to be made years ago.