A $300 Device Can Steal Mac FileVault2 Passwords

An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.

Even worse

[Ol+Olsoc]

I can break any unsername and password on any computer. All it takes is this device called a camera - that if set up properly, will expose every single keystroke.

When the hell are computer makers going to fix this terrible oversight?

Re:Even worse

[brantondaveperson]

No, this type of attack is very serious. Someone that leaves their laptop unattended for a short period of time can find their password stolen, without them realising anything other than that their laptop was mysteriously rebooted while they were on the loo.

Re:Even worse

The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

Re:Even worse

[TechyImmigrant]

The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

Substitute 'thief' with 'police' and you can see why it might be a problem for some people.

Re:Even worse

[BitterOak]

The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

Not necessarily a bigger issue. Sometimes having your data exposed can be far more serious than having your hardware stolen.

Re:Even worse

IN SOVIET RUSSIA, a problem for some people SEES YOU!!!

What a country!

Re:Even worse

[AHuxley]

Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
The top of the laptop can be seen, the rest is partial hidden. The user hears a boot sequence twice but is not asked to log in.
A power on test with boot screen is all that is asked for.
Your devices password, MAC and other details are now known to the security services on entry to a nation.
The hotel is listed. Could the password be the same at work or home, back in the users own nation?
The cost of getting into an Apple device is now very low and can be done while powering up a laptop and keeping a user distracted for a short time by a second person.
On return the user is sure they never had the laptop out of their sight and it was never accessed by office staff, hotel staff or any strangers. They keep on using the same laptop, OS and password.

Re:Even worse

Sometimes having your data exposed can be far more serious than having your hardware stolen.

How exactly is "having your data exposed" worse than "having your data exposed" + "having your hardware stolen"?

Isn't that like saying 2 is greater than 2+1 ?

When the exact same bad thing occurs in both cases A and B, but only in case B does a second bad thing also happen, clearly B is worse than A.

Re:Even worse

Yeah I don't think the odds are good if your unpatched Mac is stolen that the thief will try to decrypt your files. They will definitely reinstall the OS and resell it though.

Re:Even worse

[rmdingler]

Substitute 'thief' with 'police' and you can see why it might be a problem for some people.

"Suppose you were an idiot, and suppose you were a member of Congress; but I repeat myself." - Mark Twain

Re:Even worse

[ColdWetDog]

Hardware gone - even the most unsophisticated Luser will suspect something's wrong here.

Silent hack - keep on trucking, I'm cool, my laptop is encrypted.

1 + 1 = 2

Re:Even worse

[Ol+Olsoc]

So armies of perps will be rolling around waiting for unattended laptops? so they can install this device and reboot? The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim. In fact, I always liken these attacks that require actual physical access to the computer as mostly clickbait.

Re:Even worse

[Ol+Olsoc]

Isn't that like saying 2 is greater than 2+1 ?

For extremely large values of 2 it is.

Re:Even worse

[Ol+Olsoc]

Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.

Think of doing the system update.

Re:Even worse

[brantondaveperson]

The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim

Perhaps, perhaps not. What about those card-skimmer devices that people attach to ATMs? They require physical access, and are exploiting a security flaw in a sense, and - for a while at least - were quite widespread. It's also a big deal if a laptop is used to store actually sensitive data, and you thought you were safe because of disk encryption, or whatever, but it turned out that all the bad guys need to do is wait for you to leave your laptop unattended for five minutes.

Re:Even worse

[guruevi]

The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.

Re:Even worse

The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

Substitute 'thief' with 'police' and you can see why it might be a problem for some people.

Substitute 'police' with 'hookers' and you can see why it might be a problem for some people.

Re:Even worse

[gravewax]

The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.

NO it doesn't and isn't a key logger. The attack requires you to have simply left your machine either turned on or asleep, someone walks up to it and plugs this into the thunderbolt port and then reboots. They now have the credentials and can remove the device and walk away leaving you none the wiser except that your machine rebooted (not exactly an uncommon occurance).

Re:Even worse

The solutions exists and is called fingerprint login (Touch ID). You can sit beside me and try to snap my password.

Re:Even worse

Hardware stolen you are going to be immediately aware their is a problem, if you are lucky they will simply wipe the machine, if they are technical they may still get in but at least you know to report the device, change passwords so they don't get access to anything beyond what is on the device and certainly no further ongoing access.

Now lets try this hack, I plug the device in while you're in the shitter, reboot and walk away with your details. You may or may not notice the machine has rebooted but no indicator you are now completely compromised. I now have access whenever I feel like it on an ongoing basis and you won't know. As these are logon details I would assume this means I could establish remote connections to your machine as well to install or syphon off data at my leisure.

Re:Even worse

[Flytrap]

The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

This is not true... as the article clearly states:

Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in.

Therefore simply leaving your laptop unattended is not going to automagically disable the built-in anti-DMA protections that kick in during the boot up process and enable a passerby with PCILeech to steal your password and access your encrypted disk.

To gain access to your MacBook, the attacker needs to have the PCILeech plugged into a Thunderbolt 2 port when the computer is first switched on to perform a cold boot and you need to be running an unpatched pre-16C63a build of macOS and you need to login with your password at that very moment while it is plugged in. The prototype PCILeech is much bulkier than a spy camera and has to be plugged into the computer (and its own power source) while you are logging in in order to extract the password from memory... so it is highly unlikely that you are not going to notice this big external hard disk-like looking device plugged into your computer when you return from a bathroom break.

However, immunity from the PCILeech hack is free and easy... just upgrade to macOS 10.12.2

From the Article:

"The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm," Frisk said. "It is no longer possible to access memory prior to macOS boot. The Mac is now one of the most secure platforms with regards to this specific attack vector."

Re:Even worse

[Bongo]

Exposing my own naïveté, I have to say I'm always flabbergasted when the real hacks are easier and quicker than the stuff they claim to do in TV shows.

Re:Even worse

To gain access to your MacBook, ... you need to login with your password at that very moment while it is plugged in.

First, the term "while" implies a continuous passage of time. You can't have something done "at that very moment" "while" something is taking place. That doesn't make any sense.

Second, that statement is totally false anyway (just watch the #@$!@ video) and since it's basically the basis of your entire post, I'd suggest deleting it and pretending it didn't get posted at all if that were actually an option. But it's not. So here we are attempting yet again to undo the damage of bad info getting posted on the internet by someone that didn't bother to actually understand what they were posting first.

The attack reads the user's clear text password from memory *before* the user types it in. In the video he clearly has the password provided to him well before he begins typing it into the login screen. And he even tries to prevent people like you from skimming and posting bad info by stating verbally that he's typing in the *extracted* password to demonstrate that it extracted the correct value.

Ugh. So much fail, so little time to clean up all these messes people leave behind.

Re:Even worse

[twdorris]

Why is this post marked informative? It's wrong; and it's wrong in a critical way as far as I can tell. The video shows the password extract being done immediately on reboot, NOT after the user types in his password. The password was entered later just to demonstrate that the correct password was extracted.

So pretty much, yeah, the OP was actually correct his in concern. Walk away from the laptop, someone swoops in, reboots, grabs your password and the deed is done.

Re:Even worse

[apoc.famine]

Isn't that like saying 2 is greater than 2+1 ?

For extremely large values of 2 it is.

That's not mathematically possible. This only works for values of 1 that are less than zero.

Re:Even worse

[BronsCon]

The term "while" as several meanings. One of them (noun) indicates the passage of time, e.g. "it's been a while" or "this is going to take a while", another (conjunction) is synonymous with "whereas", while yet another (conjunction) is "at the same time as". There are three more definitions for that word, one noun, one adverb, and one verb; I'll leave it to you to locate a dictionary and learn them.

Re:Even worse

I'll leave it to you to locate a dictionary and learn them.

I'll leave it to you to find how many of those definitions make any sense in the context above. Hint...it's an integer value less than 1 and greater than -1. I'll also leave it to you to solve that riddle. Good luck!

Ok, Ok, one more hint. I'm a nice guy like that. Be sure to note the part about logging in "with your password". Unless you can do that instantaneously (you can't), there's passage of time implied in that whole section. "Login with your password" (as opposed to what else?) "at that very moment" (instantly?) "while it is plugged in" (instantly at some moment it's plugged in you're typing a password?). Nope...still makes no sense regardless of how many random definitions of while you go digging up on the internet.

Re:Even worse

[BronsCon]

The real concern here is that the password is stored in plaintext, or in such a way that it can be reversed to plaintext, in the first place. Sure, they've patched this particular means of accessing that plaintext, but you can still super-cool the RAM (on machines where the RAM is still removable) and transfer it to another machine for analysis, read the plaintext (or reversibly encrypted value) from wherever it is ultimately stored, and, I'm sure, a number of other exploits, some of which may be as covert as this exploit.

There have been successful exploits wherein RAM was read based on fluctuations in mains power measured from another room. Yes, the RAM had to be read several times by the host machine in order for the attacking machine to successfully discern the values, but that just means several reboots, rather than one.

Re:Even worse

[BronsCon]

A plaintext password still exists in case the reader fails (and there are many reasons that it would).

Re:Even worse

[BronsCon]

You need to work on your reading comprehension, because "at that very moment, ,b>at the same time as it is plugged in", while redundant, makes perfect sense.

Re:Even worse

[BronsCon]

HTML fail... "at that very moment, at the same time as it is plugged in"

Re:Even worse

[Stewie241]

In some respects yes, in others, not so much. Think about a corporate setting where within the context of an office people might leave their machines accessible on a regular basis. They go off to lunch, leave their laptop at their desk. Anybody can now go and grab their laptop, do a hard reboot and extract the passwords. Conveniently, a lot of people probably have filevault passwords that are the same as their network passwords. Now you have another user's network passwords and can do a whole bunch of things on their behalf.

How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?

The other potential exploit for this is to bake it into commercially available Thunderbolt 2 devices. Bribe a janitor to leave stick 100 crafted VGA dongles in meeting rooms of the company you want to infiltrate and have the device send passwords either over the network or via some wireless protocol.

Re:Even worse

makes perfect sense

To a similarly brain dead, dense individual as the OP. I'll give you that much.

There's no "at that very moment" while something's happening. There are MANY such moments. Many, many moments in time pass "while" something is happening. Or, as you seem to favor, "at the same time as" something else is transpiring. In either stupid case, you can't pick an exact "very moment". Which "very moment"? The moment the device was plugged in? The moment it was plugged in for at least 2 seconds? Or the moment you typed your password? Oh, wait, that's not a moment either. That also has time passing along.

It's a stupid, idiotic statement and even if you can contort the wording to satisfy your own loose definitions, it's still wrong.

Regardless, the MAIN issue is that the entire rest of the OPs post was wrong too because it was based on that false statement...you don't have to login at all, no matter which moment you choose to do so.

Re:Even worse

[guruevi]

The only way to reboot a locked macOS is to physically turn it off, this pretty much un-powers the memory and removes any trace of a password in there.

From what I understand, it can read the credentials in between the EFI unlocking the disk and the OS loading the VT-d protection, so either you have turned your machine to sleep in between those moments or you have a method of reloading the OS (soft reboot) without the memory in RAM decaying.

Re:Even worse

[BronsCon]

moment noun: a very brief period of time.

Just how long does it take you to type in your password?

These aren't my definitions, nor are they loose; these are established dictionary definitions, my friend.

I see why you post anonymously.

Regardless, the MAIN issue is that the entire rest of the OPs post was wrong too because it was based on that false statement

I never claimed otherwise, I'm merely attempting to correct your understanding of the English language.

Re:Even worse

[Ol+Olsoc]

Isn't that like saying 2 is greater than 2+1 ?

For extremely large values of 2 it is.

That's not mathematically possible. This only works for values of 1 that are less than zero.

I started to read and thought "No one could take what I said seriously!" Then I continued, and thought "Well played sir, well played".

Re:Even worse

[Ol+Olsoc]

How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?

Now that's a different question, and you are correct - it isn't okay. And it isn't actually okay to have it accessible before the thing finishes booting. My entire argument isn't that it is not a bad thing, just that it isn't a likely thing. And in any even, the issue has been repaired with an update, so only un-updated machines will be at risk. I kinda doubt many of those were encrypted anyhow. Fortunately, I've never had a reason to not update a Mac.

Re:Even worse

[Ol+Olsoc]

A plaintext password still exists in case the reader fails (and there are many reasons that it would).

Yup, I use fingerprint ID, and it pops up the password screen upon reboot.

Now wating for someone to start on about how someone can cut off my fingers and access my phone with it.

Re:Even worse

[BronsCon]

Haha, well, I don't think you'll be disappointed... sadly.

Re:Even worse

OMG you're dense. And, of course, at this point we've gotten deep enough into the mud slinging (starting with your suggestion that I locate a dictionary, BTW, and the implied condescension that goes along with it...just in case you try to deny having starting this) that it's not going to be possible to exit out cleanly. Unless you're a bigger man than I am. But so far, that doesn't seem to be true. We seem to be equally petty. So I'll just keep slinging the mud your way if you want.

Look again at what I've written above. The OP said "at that very moment". WHICH VERY MOMENT IS HE SPECIFICALLY REFERRING TO? I don't care if it's 10 ms or 5 seconds. He's indicating the direct selection of some specific moment in time. THAT moment. WHICH MOMENT?

It can't be that "while it's plugged in" moment. That period of time is clearly a super set of the time it takes to type in a password. So which moment is he referring to?

You can't answer that. Because it's a non-sense question. And it's a non-sense questions because it's trying to resolve a non-sense statement.

Here, let's try this another way. I'll state what I believe he intended to say and you see if you agree...at least to the extent that you agree it's a clearer statement even if you insist on believing the original statement is valid.

Here we go.

"you need to login with your password while the device is plugged in."

Whoa. See how much clearer that is? Just remove that impedance mismatch between "that moment" and "while it's plugged in" and it's golden. There's no reference to a ambiguous "moment in time" when something had to happen. It's simply that you have to do something while something else is true.

Re:Even worse

[BronsCon]

So which moment is he referring to?

You started by attacking his (correct) usage of the word "while". Now, you're attacking his usage of the word "moment". Which is it? Yes, he used one of them incorrectly; I stepped in because you attacked the correct usage, rather than the incorrect one. I also pointed out (separate from the context of the sentence in which "moment" was used incorrectly) that, while redundant, a sentence using both "moment" and "while" can make sense. Note that i did not claim that it made sense in this specific instance, just that the fragment I quoted does, in fact, make sense.

Also, before you say your issue isn't with his use of the word "moment", you literally just wrote:

There's no reference to a ambiguous "moment in time" when something had to happen.

While, on the other hand, you started your argument with the following:

First, the term "while" implies a continuous passage of time.

You'll have to excuse me for thinking you took issue with the usage of the word "while", here.

And, for the record, yes, the way you stated it is clearer; but, then, I never said the original statement was clear. But, of course, it mustn't have been too exceedingly unclear either, as we both appear to be in agreement as to its intended meaning. Yup, clear enough for the average reader to understand.

Re:Even worse

[damacus]

You missed the part in the video and article where he uses a key combo, cmd-ctrl-power to make the machine reboot without having to be authenticated.

Re:Even worse

So you are saying the security researchers are all liars and it isn't possible to reboot a sleeping Mac

Re:Even worse

[gravewax]

oh really? perhaps you should actually watch the video or read the article.

$300...Really???

[tomservo84]

So I can go and buy a device for which the way in has already been fixed? Sounds pretty awesome to me. I know not everyone will be updated immediately, but it seems like Mac folks usually do keep up with them.

Re:$300...Really???

It's even more awesome! I would have to download Flash to watch the demo video!
The horror... the horror... the horror...

Re:$300...Really???

[93+Escort+Wagon]

Yeah, I was gonna mention this requires additional hardware.

Not only do you need to buy this $300 Thunderbolt box... you also need an unpatched Mac. And have you priced those things?

Re:$300...Really???

[guruevi]

The $300 device can also do the following:

Retrieve memory from the target system at >150MB/s.
Write data to the target system memory.
4GB memory can be accessed in native DMA mode.
ALL memory can be accessed if kernel module (KMD) is loaded.
Execute kernel code on the target system.
Spawn system shell [Windows].
Spawn any executable [Windows].
Load unsigned drivers [Windows].
Pull files [Linux, FreeBSD, Windows, macOS].
Push files [Linux, Windows, macOS].
Patch / Unlock (remove password requirement) [Windows, macOS].

All of the above does not work in latest macOS and Linux, works in pretty much any older Linux or Windows version, protection feature set for Windows only available in Windows Enterprise.

Re:$300...Really???

Ask how long he's been selling those boxes quietly for 3k or more. Now that the vulnerability is patched go ahead and give it away publicly while selling a new and improved box.

Cleartext

[dohzer]

I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.

Re:Cleartext

[radicimo]

I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.

Not exactly cleartext (but close):

The password, when entered, is stored in memory as unicode. Every 2nd byte will be zero if a password consisting only of ascii characters is used. Enter a "random" phrase, not naturally occurring in memory, at the password prompt. In this example the phrase eerrbbnn is used. In memory this is stored as 6500650072007200620062006e006e

Setting aside the device, just finding the exploit, cleartext or not, is an accomplishment. I'm not entirely sure all the steps one would take, but guessing it would involve starting with the supposition that a vulnerability like this might exist. Then writing a software tool to dump DMA memory very early in the boot process from EFI, prior to the OS, or perhaps concocting a remote EFI debugger. Does such a thing exist? If you have a memory dump, should be possible to perform a search in something like IDA Pro for a known string as a 'eerrbbnn' whether unicode or not.

Beyond that he performed the test frequently enough to determine "The password is put in multiple memory locations - which all seems to move around between reboots, but within a fixed memory range." So he likely had to automate his homebrew toolchain to generate enough samples to determine this.

But still the device is some next level shit,

Re:Cleartext

[radicimo]

The Def Con talk is quite informative regarding tools and methods ... OS X starts around 30:00 mark.

https://www.youtube.com/watch?...

He accesses memory of a running system kernel using a variation of the pcileech and then uses Volatility to examine the dump. I guess the key is that "the FileVault password is stored in clear text in memory and that it's not automatically scrubbed from memory once the disk is unlocked." No need to do anything prior to OS load, except set a boot flag, and he's leveraging an earlier device called Slotscreamer. Still impressive, especially pulling /etc/shadow and pushing it back onto an encrypted drive via DMA at the end of his talk.

From the article

[berj]

December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware - like my MacBook Air.

Conclusion
The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm. It is no longer possible to access memory prior to macOS boot. The mac is now one of the most secure platforms with regards to this specific attack vector.

So, it seems that this door has been closed as of 10.12.2

Remains to be seen if those machines that don't support 10.12 Sierra will get patches for their latest supported macOS version, of course.

Re:From the article

[DaphneDiane]

Are there any thunderbolt equipped Macs that don't support 10.12.2?

Re:From the article

[ColdWetDog]

Yep, my 2011 17 inch MBP - old enough so Sierra isn't an option. Has a Thunderbolt port.

Of course, Apple acts like it only sold ten of the things so it has no interest in updating that particular model. But I'm not bitter. Not in the slightest.

Re:From the article

[Skuld-Chan]

Apple doesn't release security fixes for major bugs on previous OS's for the most part. As an exception and a lesson on how Apple deals with security issues - check out the history of the rootpipe exploit.

And yes - they did eventually fix that on previous versions of the OS after security experts shamed them publicly - almost a year later. Rootpipe was one of the worst security vulnerabilities - privilege escalation - and you can see how seriously they took it.

Re:From the article

[DaphneDiane]

Haven't booted my 17" in a while, but knew it ran at least El Captain. Thought it was 2010 and newer for Sierra. Just noticed when searching that I better bring my system in for the recall.

Re:From the article

[ameline]

I updated my 17 inch late 2011 macbook pro with 10.12.2, and it updated the firmware as part of that upgrade.

So it looks likely that they plugged the hole.

Re:From the article

[Just+Some+Guy]

My early 2011 15" MBP runs Sierra like a champ.

Re:From the article

No. It supports sierra.

Re:From the article

A 5 second google search shows mid 2010 machines and later can support Sierra.

Care to try again, this time actually knowing what you're talking about?

Re:From the article

They run it well (providing you have an ssd drive).

Re:From the article

[DarkVader]

As others have noted, you have no issue. The 2011 runs it just fine. I've got a 2011 17 running Sierra, it's actually the machine I used for the beta versions of it. I'm typing this on a 2011 15 running Sierra.

typo

[behrooz0az]

s/kamker/kamkar/

Did the police use this?

I wonder how often the police, fbi and so on used this.

Re:Did the police use this?

[AHuxley]

AC its interesting.
The amount of crypto that the gov can just 'read' or OS that get gov/mil malware loggers installed by the "owner" totally bypassing any 3rd party security.
Its telling that security services globally are happy to see a computer boot up a few times rather than request a user log in.
The user walks away feeling that their existing long password is still ok.
Would the average user change their password?
Are people confident that all wireless systems became active well after log in on all consumer OS on all hardware?
No way wireless or infrared would offer the same result going back many years?
Is it a total impossibility that this could work with wireless given power on sequences within all generations of laptops?

How was that fixed?

[manu0601]

How was that fixed?

I guess they cannot close thunderbolt DMA access without redering it unusable to boot. Hence I suspect they just randomized the location where the password is fetched in memory. And of course they probably made sure it is erased after use. Anyone has a clue?

Re:How was that fixed?

[guruevi]

The 'hack' is prevented by enabling VT-d (basically virtualization of the PCIe devices) which prevents PCIe devices to have direct access to the hypervisor's memory.

Re:How was that fixed?

[manu0601]

I do not get it. Wasn't that supposed to happen before system boot? There is an hypervisor at work in UEFI environment?

Re:How was that fixed?

Why is it still not enabled by default?

Re:How was that fixed?

[guruevi]

All a hypervisor is is a program telling the processor it's a hypervisor and then it can do whatever (given off course the OS has given it such privileges to the CPU). The EFI can simply say to the CPU "hey, I'm a hypervisor, block all access to the/this memory from any attached devices" until a 'fuller' OS comes along and then it just hands whatever credentials over.

VT-d is an extension to the x86 CPU instruction set specifically for these kinds of purposes since these days everything is virtualized and things like GPU's can pretty much run any random program, a virtualized guest using a hardware GPU could program the GPU to copy any memory the GPU has access to (which for historical reasons and DMA, is pretty much anything). VT-d simply locks the CPU to only give a device access to whatever memory a hypervisor allows it access to.

AMD has a similar/compatible instruction set.

looks like completely different attacks

[beckett]

The device is similar to what Samy Kamker created with Poison Tap.

how is this device similar to Poison Tap? Poison Tap used USB to mimic a network device and conduct a MITM attack harvesting cookies etc. from the outgoing network traffic on a powered computer with a web browser. Frisk's exploit uses a thunderbolt connection to dump a booting mac's memory before OSX is started.

Re:looks like completely different attacks

[edtice1559]

They both involve plugging something into the computer. This is the new /. Your administrative assistant probably knows more about the exploit than the current overlords.

Wont' actually work will it?

[goombah99]

So when my computer boots I type in my passowrd then someone sneaks up and inserts this device while I'm standing there?

Re:Wont' actually work will it?

[gravewax]

or when you put it to sleep instead of shutdown and left it unattended for 30 seconds getting a coffee or taking a bathroom break. all they need is about 30 seconds of you being away from your machine and it not being completely shutdown.

lucky windows user here

luckily I use Windows and am not vulnerable to this attack

$330

You'll also need the $30 dongle from Apple to plug the device into the computer. This will also make the theft more conspicuous.

Re:$330

Oh God.... I'm so glad I'm not a Mac user. I would have been broke by now.

I've heard that with a skilled operator

[Chrisq]

I've heard that with a skilled operator a $3 device" can be almost 100% effective.

Disable unused ports...?

[geekmux]

Since the hardware side of this hack requires a Thunderbolt port, don't suppose there's a chance of just disabling that port altogether, is there?

Just curious if the obvious answer is obvious, since many of us have found a use for Apple hardware, but have found little use for expensive proprietary bullshit.

Re:Disable unused ports...?

[amalcolm]

Fill them with epoxy

Re:Disable unused ports...?

[geekmux]

Fill them with epoxy

Apple is already working on that by designing hardware completely devoid of any external connections in order to sell iVulcan, the data melding tech that will only cost you $599 more (dongles not included)

Not suprised

Apple and security is a joke. Their first priority is to make stuff work together in a Apple world.

Frisk created a hacking device?!

[Gornkleschnitzer]

That must have taken a lot of determination.

Disclosure process

[TehHustler]

Bit confused about the disclosure timeline on this one - issue found, then presented at a conference to the public with videos recorded etc, THEN apple notified and they say "don't tell anyone yet!!!!" - but everyone had already been told at DEF CON. How does that work?

sensationalist headline

Headline: "A $300 Device Can Steal Mac FileVault2 Passwords"
Text: "Apple fixed the attack in macOS 10.12.2."

Corrected Headline: "A $300 Device Can *NO LONGER* Steal Mac FileVault2 Passwords"

Okay,

[garote]

Better hurry this along you guys, I'm almost out of popcorn...

Re:Okay,

[BronsCon]

I don't think there's anything left to hurry along; I've already run out of popcorn.