Slashdot Mirror
A $300 Device Can Steal Mac FileVault2 Passwords (bleepingcomputer.com)
An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
So I can go and buy a device for which the way in has already been fixed? Sounds pretty awesome to me. I know not everyone will be updated immediately, but it seems like Mac folks usually do keep up with them.
Agile Spaceport - You will never find a more wretched hive of scrum and villainy. We must be cautious.
No, this type of attack is very serious. Someone that leaves their laptop unattended for a short period of time can find their password stolen, without them realising anything other than that their laptop was mysteriously rebooted while they were on the loo.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Not necessarily a bigger issue. Sometimes having your data exposed can be far more serious than having your hardware stolen.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
So, it seems that this door has been closed as of 10.12.2
Remains to be seen if those machines that don't support 10.12 Sierra will get patches for their latest supported macOS version, of course.
s/kamker/kamkar/
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
IN SOVIET RUSSIA, a problem for some people SEES YOU!!!
What a country!
I wonder how often the police, fbi and so on used this.
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
The top of the laptop can be seen, the rest is partial hidden. The user hears a boot sequence twice but is not asked to log in.
A power on test with boot screen is all that is asked for.
Your devices password, MAC and other details are now known to the security services on entry to a nation.
The hotel is listed. Could the password be the same at work or home, back in the users own nation?
The cost of getting into an Apple device is now very low and can be done while powering up a laptop and keeping a user distracted for a short time by a second person.
On return the user is sure they never had the laptop out of their sight and it was never accessed by office staff, hotel staff or any strangers. They keep on using the same laptop, OS and password.
Domestic spying is now "Benign Information Gathering"
How was that fixed?
I guess they cannot close thunderbolt DMA access without redering it unusable to boot. Hence I suspect they just randomized the location where the password is fetched in memory. And of course they probably made sure it is erased after use. Anyone has a clue?
Sometimes having your data exposed can be far more serious than having your hardware stolen.
How exactly is "having your data exposed" worse than "having your data exposed" + "having your hardware stolen"?
Isn't that like saying 2 is greater than 2+1 ?
When the exact same bad thing occurs in both cases A and B, but only in case B does a second bad thing also happen, clearly B is worse than A.
Yeah I don't think the odds are good if your unpatched Mac is stolen that the thief will try to decrypt your files. They will definitely reinstall the OS and resell it though.
how is this device similar to Poison Tap? Poison Tap used USB to mimic a network device and conduct a MITM attack harvesting cookies etc. from the outgoing network traffic on a powered computer with a web browser. Frisk's exploit uses a thunderbolt connection to dump a booting mac's memory before OSX is started.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
"Suppose you were an idiot, and suppose you were a member of Congress; but I repeat myself." - Mark Twain
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Hardware gone - even the most unsophisticated Luser will suspect something's wrong here.
Silent hack - keep on trucking, I'm cool, my laptop is encrypted.
1 + 1 = 2
Faster! Faster! Faster would be better!
So armies of perps will be rolling around waiting for unattended laptops? so they can install this device and reboot? The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim. In fact, I always liken these attacks that require actual physical access to the computer as mostly clickbait.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
So when my computer boots I type in my passowrd then someone sneaks up and inserts this device while I'm standing there?
Some drink at the fountain of knowledge. Others just gargle.
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
Think of doing the system update.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim
Perhaps, perhaps not. What about those card-skimmer devices that people attach to ATMs? They require physical access, and are exploiting a security flaw in a sense, and - for a while at least - were quite widespread. It's also a big deal if a laptop is used to store actually sensitive data, and you thought you were safe because of disk encryption, or whatever, but it turned out that all the bad guys need to do is wait for you to leave your laptop unattended for five minutes.
The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.
Custom electronics and digital signage for your business: www.evcircuits.com
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
Substitute 'police' with 'hookers' and you can see why it might be a problem for some people.
The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.
NO it doesn't and isn't a key logger. The attack requires you to have simply left your machine either turned on or asleep, someone walks up to it and plugs this into the thunderbolt port and then reboots. They now have the credentials and can remove the device and walk away leaving you none the wiser except that your machine rebooted (not exactly an uncommon occurance).
luckily I use Windows and am not vulnerable to this attack
You'll also need the $30 dongle from Apple to plug the device into the computer. This will also make the theft more conspicuous.
The solutions exists and is called fingerprint login (Touch ID). You can sit beside me and try to snap my password.
Hardware stolen you are going to be immediately aware their is a problem, if you are lucky they will simply wipe the machine, if they are technical they may still get in but at least you know to report the device, change passwords so they don't get access to anything beyond what is on the device and certainly no further ongoing access.
Now lets try this hack, I plug the device in while you're in the shitter, reboot and walk away with your details. You may or may not notice the machine has rebooted but no indicator you are now completely compromised. I now have access whenever I feel like it on an ongoing basis and you won't know. As these are logon details I would assume this means I could establish remote connections to your machine as well to install or syphon off data at my leisure.
I've heard that with a skilled operator a $3 device" can be almost 100% effective.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
This is not true... as the article clearly states:
Therefore simply leaving your laptop unattended is not going to automagically disable the built-in anti-DMA protections that kick in during the boot up process and enable a passerby with PCILeech to steal your password and access your encrypted disk.
To gain access to your MacBook, the attacker needs to have the PCILeech plugged into a Thunderbolt 2 port when the computer is first switched on to perform a cold boot and you need to be running an unpatched pre-16C63a build of macOS and you need to login with your password at that very moment while it is plugged in. The prototype PCILeech is much bulkier than a spy camera and has to be plugged into the computer (and its own power source) while you are logging in in order to extract the password from memory... so it is highly unlikely that you are not going to notice this big external hard disk-like looking device plugged into your computer when you return from a bathroom break.
However, immunity from the PCILeech hack is free and easy... just upgrade to macOS 10.12.2
From the Article:
Since the hardware side of this hack requires a Thunderbolt port, don't suppose there's a chance of just disabling that port altogether, is there?
Just curious if the obvious answer is obvious, since many of us have found a use for Apple hardware, but have found little use for expensive proprietary bullshit.
Exposing my own naïveté, I have to say I'm always flabbergasted when the real hacks are easier and quicker than the stuff they claim to do in TV shows.
Apple and security is a joke. Their first priority is to make stuff work together in a Apple world.
To gain access to your MacBook, ... you need to login with your password at that very moment while it is plugged in.
First, the term "while" implies a continuous passage of time. You can't have something done "at that very moment" "while" something is taking place. That doesn't make any sense.
Second, that statement is totally false anyway (just watch the #@$!@ video) and since it's basically the basis of your entire post, I'd suggest deleting it and pretending it didn't get posted at all if that were actually an option. But it's not. So here we are attempting yet again to undo the damage of bad info getting posted on the internet by someone that didn't bother to actually understand what they were posting first.
The attack reads the user's clear text password from memory *before* the user types it in. In the video he clearly has the password provided to him well before he begins typing it into the login screen. And he even tries to prevent people like you from skimming and posting bad info by stating verbally that he's typing in the *extracted* password to demonstrate that it extracted the correct value.
Ugh. So much fail, so little time to clean up all these messes people leave behind.
That must have taken a lot of determination.
Why is this post marked informative? It's wrong; and it's wrong in a critical way as far as I can tell. The video shows the password extract being done immediately on reboot, NOT after the user types in his password. The password was entered later just to demonstrate that the correct password was extracted.
So pretty much, yeah, the OP was actually correct his in concern. Walk away from the laptop, someone swoops in, reboots, grabs your password and the deed is done.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
That's not mathematically possible. This only works for values of 1 that are less than zero.
Velociraptor = Distiraptor / Timeraptor
Bit confused about the disclosure timeline on this one - issue found, then presented at a conference to the public with videos recorded etc, THEN apple notified and they say "don't tell anyone yet!!!!" - but everyone had already been told at DEF CON. How does that work?
TheHustler
http://www.elmarko.org/ - Useless bilge
http://www.asylum-games.co.uk/ - Co-Founder
The term "while" as several meanings. One of them (noun) indicates the passage of time, e.g. "it's been a while" or "this is going to take a while", another (conjunction) is synonymous with "whereas", while yet another (conjunction) is "at the same time as". There are three more definitions for that word, one noun, one adverb, and one verb; I'll leave it to you to locate a dictionary and learn them.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I'll leave it to you to locate a dictionary and learn them.
I'll leave it to you to find how many of those definitions make any sense in the context above. Hint...it's an integer value less than 1 and greater than -1. I'll also leave it to you to solve that riddle. Good luck!
Ok, Ok, one more hint. I'm a nice guy like that. Be sure to note the part about logging in "with your password". Unless you can do that instantaneously (you can't), there's passage of time implied in that whole section. "Login with your password" (as opposed to what else?) "at that very moment" (instantly?) "while it is plugged in" (instantly at some moment it's plugged in you're typing a password?). Nope...still makes no sense regardless of how many random definitions of while you go digging up on the internet.
The real concern here is that the password is stored in plaintext, or in such a way that it can be reversed to plaintext, in the first place. Sure, they've patched this particular means of accessing that plaintext, but you can still super-cool the RAM (on machines where the RAM is still removable) and transfer it to another machine for analysis, read the plaintext (or reversibly encrypted value) from wherever it is ultimately stored, and, I'm sure, a number of other exploits, some of which may be as covert as this exploit.
There have been successful exploits wherein RAM was read based on fluctuations in mains power measured from another room. Yes, the RAM had to be read several times by the host machine in order for the attacking machine to successfully discern the values, but that just means several reboots, rather than one.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
A plaintext password still exists in case the reader fails (and there are many reasons that it would).
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Headline: "A $300 Device Can Steal Mac FileVault2 Passwords"
Text: "Apple fixed the attack in macOS 10.12.2."
Corrected Headline: "A $300 Device Can *NO LONGER* Steal Mac FileVault2 Passwords"
You need to work on your reading comprehension, because "at that very moment, ,b>at the same time as it is plugged in", while redundant, makes perfect sense.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
HTML fail... "at that very moment, at the same time as it is plugged in"
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
In some respects yes, in others, not so much. Think about a corporate setting where within the context of an office people might leave their machines accessible on a regular basis. They go off to lunch, leave their laptop at their desk. Anybody can now go and grab their laptop, do a hard reboot and extract the passwords. Conveniently, a lot of people probably have filevault passwords that are the same as their network passwords. Now you have another user's network passwords and can do a whole bunch of things on their behalf.
How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?
The other potential exploit for this is to bake it into commercially available Thunderbolt 2 devices. Bribe a janitor to leave stick 100 crafted VGA dongles in meeting rooms of the company you want to infiltrate and have the device send passwords either over the network or via some wireless protocol.
makes perfect sense
To a similarly brain dead, dense individual as the OP. I'll give you that much.
There's no "at that very moment" while something's happening. There are MANY such moments. Many, many moments in time pass "while" something is happening. Or, as you seem to favor, "at the same time as" something else is transpiring. In either stupid case, you can't pick an exact "very moment". Which "very moment"? The moment the device was plugged in? The moment it was plugged in for at least 2 seconds? Or the moment you typed your password? Oh, wait, that's not a moment either. That also has time passing along.
It's a stupid, idiotic statement and even if you can contort the wording to satisfy your own loose definitions, it's still wrong.
Regardless, the MAIN issue is that the entire rest of the OPs post was wrong too because it was based on that false statement...you don't have to login at all, no matter which moment you choose to do so.
The only way to reboot a locked macOS is to physically turn it off, this pretty much un-powers the memory and removes any trace of a password in there.
From what I understand, it can read the credentials in between the EFI unlocking the disk and the OS loading the VT-d protection, so either you have turned your machine to sleep in between those moments or you have a method of reloading the OS (soft reboot) without the memory in RAM decaying.
Custom electronics and digital signage for your business: www.evcircuits.com
Just how long does it take you to type in your password?
These aren't my definitions, nor are they loose; these are established dictionary definitions, my friend.
I see why you post anonymously.
Regardless, the MAIN issue is that the entire rest of the OPs post was wrong too because it was based on that false statement
I never claimed otherwise, I'm merely attempting to correct your understanding of the English language.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
That's not mathematically possible. This only works for values of 1 that are less than zero.
I started to read and thought "No one could take what I said seriously!" Then I continued, and thought "Well played sir, well played".
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?
Now that's a different question, and you are correct - it isn't okay. And it isn't actually okay to have it accessible before the thing finishes booting. My entire argument isn't that it is not a bad thing, just that it isn't a likely thing. And in any even, the issue has been repaired with an update, so only un-updated machines will be at risk. I kinda doubt many of those were encrypted anyhow. Fortunately, I've never had a reason to not update a Mac.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
A plaintext password still exists in case the reader fails (and there are many reasons that it would).
Yup, I use fingerprint ID, and it pops up the password screen upon reboot.
Now wating for someone to start on about how someone can cut off my fingers and access my phone with it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Haha, well, I don't think you'll be disappointed... sadly.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
OMG you're dense. And, of course, at this point we've gotten deep enough into the mud slinging (starting with your suggestion that I locate a dictionary, BTW, and the implied condescension that goes along with it...just in case you try to deny having starting this) that it's not going to be possible to exit out cleanly. Unless you're a bigger man than I am. But so far, that doesn't seem to be true. We seem to be equally petty. So I'll just keep slinging the mud your way if you want.
Look again at what I've written above. The OP said "at that very moment". WHICH VERY MOMENT IS HE SPECIFICALLY REFERRING TO? I don't care if it's 10 ms or 5 seconds. He's indicating the direct selection of some specific moment in time. THAT moment. WHICH MOMENT?
It can't be that "while it's plugged in" moment. That period of time is clearly a super set of the time it takes to type in a password. So which moment is he referring to?
You can't answer that. Because it's a non-sense question. And it's a non-sense questions because it's trying to resolve a non-sense statement.
Here, let's try this another way. I'll state what I believe he intended to say and you see if you agree...at least to the extent that you agree it's a clearer statement even if you insist on believing the original statement is valid.
Here we go.
"you need to login with your password while the device is plugged in."
Whoa. See how much clearer that is? Just remove that impedance mismatch between "that moment" and "while it's plugged in" and it's golden. There's no reference to a ambiguous "moment in time" when something had to happen. It's simply that you have to do something while something else is true.
So which moment is he referring to?
You started by attacking his (correct) usage of the word "while". Now, you're attacking his usage of the word "moment". Which is it? Yes, he used one of them incorrectly; I stepped in because you attacked the correct usage, rather than the incorrect one. I also pointed out (separate from the context of the sentence in which "moment" was used incorrectly) that, while redundant, a sentence using both "moment" and "while" can make sense. Note that i did not claim that it made sense in this specific instance, just that the fragment I quoted does, in fact, make sense.
Also, before you say your issue isn't with his use of the word "moment", you literally just wrote:
There's no reference to a ambiguous "moment in time" when something had to happen.
While, on the other hand, you started your argument with the following:
First, the term "while" implies a continuous passage of time.
You'll have to excuse me for thinking you took issue with the usage of the word "while", here.
And, for the record, yes, the way you stated it is clearer; but, then, I never said the original statement was clear. But, of course, it mustn't have been too exceedingly unclear either, as we both appear to be in agreement as to its intended meaning. Yup, clear enough for the average reader to understand.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You missed the part in the video and article where he uses a key combo, cmd-ctrl-power to make the machine reboot without having to be authenticated.
So you are saying the security researchers are all liars and it isn't possible to reboot a sleeping Mac
oh really? perhaps you should actually watch the video or read the article.
Better hurry this along you guys, I'm almost out of popcorn...