Hi. I booted Tails' latest release and was able to scrape memory contents
via FireWire. All the necessary firewire modules are enabled by default and
Inception worked out of the box. This would let someone root a machine
through, say, a daisy chained thunderbolt monitor.
I'd either remove support from the kernel, blacklist the modules in
modprobe, or disable support with a boot param.
Iommu should be enabled as well for good measure, although it can be
circumvented.
Cheers.
On Oct 12, 2012 5:48 PM, "Jacob Appelbaum" <jacob@???> wrote:
> Maxim Kammerer:
> > On Sat, Oct 13, 2012 at 1:30 AM, Jacob Appelbaum
> > <jacob@???> wrote:
> >> I would add Thunderbolt to the list as well:
> >>
> http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/
> >
> >>
> > As far as I can see, all these attacks (PCMCIA, ExpressCard,
> > Thunderbolt) rely on attaching to a FireWire interface one way or
> > another, and then accessing arbitrary memory via DMA. But such
> > ability is (or can be) disabled by default in the newer firewire-ohci
> > module, as described in "debugging-via-ohci1394.txt", and even
> > discussed on the relevant Tails TODO page. So why disable the
> > interfaces? Looks like an overkill to me.
> >
>
> My understanding is that this assumption doesn't actually pan out in
> practice. I've cc'ed Steve who may have some more information to
> contribute. As I understand things, he found that as predicted, the
> default "it is off" doesn't actually always turn DMA off.
>
> All the best,
> Jacob
>