A New Zealand-based security consultant has released a tool with which a Windows computer can be unlocked in seconds, without having to enter the password.
Sydney, March 4 : A New Zealand-based security consultant has released a tool with which a Windows computer can be unlocked in seconds, without having to enter the password.
Adam Boileau, a consultant with Immunity Inc., first unveiled the hack at a security conference in Sydney in 2006, where he revealed that it could affect Windows XP computers.
The tool, however, has yet not been tested on Windows Vista.
"(The tool could) unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command," the Sydney Morning Herald quoted Boileau as saying during an inteview for ITRadio's Risky Business podcast.
As to why he did not release the tool publicly in 2006, Boileau said: "Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble."
Since the issue remains unresolved even after a couple of years, Boileau decided to release the tool on his web site.
A hacker wishing to use the new system must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory.
Having gained full access to the memory of the target computer, the tool can modify Windows' password protection code stored in the machine, and render it ineffective.
Paul Ducklin, head of technology for security firm Sophos, said that he did not consider the security hole found by Boileau to be a vulnerability because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.
"If you have a Firewire port, disable it when you aren't using it. That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise," Ducklin said.
He also suggested that people be careful while giving others physical access to their computers.
"I know people who'd think three times about asking passing strangers to take their photo in front of the Opera House in case they did a runner with the camera, yet who are much more casual with their laptop PC, as long as it's software-locked, even though the hardware alone is worth five times as much as the camera," he said.
Spokespersons for Microsoft were unavailable for comment.
ANI