Slashdot Mirror
A $300 Device Can Steal Mac FileVault2 Passwords (bleepingcomputer.com)
An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
So I can go and buy a device for which the way in has already been fixed? Sounds pretty awesome to me. I know not everyone will be updated immediately, but it seems like Mac folks usually do keep up with them.
Agile Spaceport - You will never find a more wretched hive of scrum and villainy. We must be cautious.
No, this type of attack is very serious. Someone that leaves their laptop unattended for a short period of time can find their password stolen, without them realising anything other than that their laptop was mysteriously rebooted while they were on the loo.
I find that when I extract passwords, I prefer to have them in cleartext than not in cleartext.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Not necessarily a bigger issue. Sometimes having your data exposed can be far more serious than having your hardware stolen.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
So, it seems that this door has been closed as of 10.12.2
Remains to be seen if those machines that don't support 10.12 Sierra will get patches for their latest supported macOS version, of course.
s/kamker/kamkar/
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
The top of the laptop can be seen, the rest is partial hidden. The user hears a boot sequence twice but is not asked to log in.
A power on test with boot screen is all that is asked for.
Your devices password, MAC and other details are now known to the security services on entry to a nation.
The hotel is listed. Could the password be the same at work or home, back in the users own nation?
The cost of getting into an Apple device is now very low and can be done while powering up a laptop and keeping a user distracted for a short time by a second person.
On return the user is sure they never had the laptop out of their sight and it was never accessed by office staff, hotel staff or any strangers. They keep on using the same laptop, OS and password.
Domestic spying is now "Benign Information Gathering"
How was that fixed?
I guess they cannot close thunderbolt DMA access without redering it unusable to boot. Hence I suspect they just randomized the location where the password is fetched in memory. And of course they probably made sure it is erased after use. Anyone has a clue?
how is this device similar to Poison Tap? Poison Tap used USB to mimic a network device and conduct a MITM attack harvesting cookies etc. from the outgoing network traffic on a powered computer with a web browser. Frisk's exploit uses a thunderbolt connection to dump a booting mac's memory before OSX is started.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
"Suppose you were an idiot, and suppose you were a member of Congress; but I repeat myself." - Mark Twain
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Hardware gone - even the most unsophisticated Luser will suspect something's wrong here.
Silent hack - keep on trucking, I'm cool, my laptop is encrypted.
1 + 1 = 2
Faster! Faster! Faster would be better!
So armies of perps will be rolling around waiting for unattended laptops? so they can install this device and reboot? The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim. In fact, I always liken these attacks that require actual physical access to the computer as mostly clickbait.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
AC its interesting.
The amount of crypto that the gov can just 'read' or OS that get gov/mil malware loggers installed by the "owner" totally bypassing any 3rd party security.
Its telling that security services globally are happy to see a computer boot up a few times rather than request a user log in.
The user walks away feeling that their existing long password is still ok.
Would the average user change their password?
Are people confident that all wireless systems became active well after log in on all consumer OS on all hardware?
No way wireless or infrared would offer the same result going back many years?
Is it a total impossibility that this could work with wireless given power on sequences within all generations of laptops?
Domestic spying is now "Benign Information Gathering"
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
So when my computer boots I type in my passowrd then someone sneaks up and inserts this device while I'm standing there?
Some drink at the fountain of knowledge. Others just gargle.
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
Think of doing the system update.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The likelyhood of anyone outside of an active Law enforcement investigation is pretty slim
Perhaps, perhaps not. What about those card-skimmer devices that people attach to ATMs? They require physical access, and are exploiting a security flaw in a sense, and - for a while at least - were quite widespread. It's also a big deal if a laptop is used to store actually sensitive data, and you thought you were safe because of disk encryption, or whatever, but it turned out that all the bad guys need to do is wait for you to leave your laptop unattended for five minutes.
The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.
NO it doesn't and isn't a key logger. The attack requires you to have simply left your machine either turned on or asleep, someone walks up to it and plugs this into the thunderbolt port and then reboots. They now have the credentials and can remove the device and walk away leaving you none the wiser except that your machine rebooted (not exactly an uncommon occurance).
You'll also need the $30 dongle from Apple to plug the device into the computer. This will also make the theft more conspicuous.
I've heard that with a skilled operator a $3 device" can be almost 100% effective.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
This is not true... as the article clearly states:
Therefore simply leaving your laptop unattended is not going to automagically disable the built-in anti-DMA protections that kick in during the boot up process and enable a passerby with PCILeech to steal your password and access your encrypted disk.
To gain access to your MacBook, the attacker needs to have the PCILeech plugged into a Thunderbolt 2 port when the computer is first switched on to perform a cold boot and you need to be running an unpatched pre-16C63a build of macOS and you need to login with your password at that very moment while it is plugged in. The prototype PCILeech is much bulkier than a spy camera and has to be plugged into the computer (and its own power source) while you are logging in in order to extract the password from memory... so it is highly unlikely that you are not going to notice this big external hard disk-like looking device plugged into your computer when you return from a bathroom break.
However, immunity from the PCILeech hack is free and easy... just upgrade to macOS 10.12.2
From the Article:
Since the hardware side of this hack requires a Thunderbolt port, don't suppose there's a chance of just disabling that port altogether, is there?
Just curious if the obvious answer is obvious, since many of us have found a use for Apple hardware, but have found little use for expensive proprietary bullshit.
Exposing my own naïveté, I have to say I'm always flabbergasted when the real hacks are easier and quicker than the stuff they claim to do in TV shows.
To gain access to your MacBook, ... you need to login with your password at that very moment while it is plugged in.
First, the term "while" implies a continuous passage of time. You can't have something done "at that very moment" "while" something is taking place. That doesn't make any sense.
Second, that statement is totally false anyway (just watch the #@$!@ video) and since it's basically the basis of your entire post, I'd suggest deleting it and pretending it didn't get posted at all if that were actually an option. But it's not. So here we are attempting yet again to undo the damage of bad info getting posted on the internet by someone that didn't bother to actually understand what they were posting first.
The attack reads the user's clear text password from memory *before* the user types it in. In the video he clearly has the password provided to him well before he begins typing it into the login screen. And he even tries to prevent people like you from skimming and posting bad info by stating verbally that he's typing in the *extracted* password to demonstrate that it extracted the correct value.
Ugh. So much fail, so little time to clean up all these messes people leave behind.
That must have taken a lot of determination.
Why is this post marked informative? It's wrong; and it's wrong in a critical way as far as I can tell. The video shows the password extract being done immediately on reboot, NOT after the user types in his password. The password was entered later just to demonstrate that the correct password was extracted.
So pretty much, yeah, the OP was actually correct his in concern. Walk away from the laptop, someone swoops in, reboots, grabs your password and the deed is done.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
That's not mathematically possible. This only works for values of 1 that are less than zero.
Velociraptor = Distiraptor / Timeraptor
Bit confused about the disclosure timeline on this one - issue found, then presented at a conference to the public with videos recorded etc, THEN apple notified and they say "don't tell anyone yet!!!!" - but everyone had already been told at DEF CON. How does that work?
TheHustler
http://www.elmarko.org/ - Useless bilge
http://www.asylum-games.co.uk/ - Co-Founder
The term "while" as several meanings. One of them (noun) indicates the passage of time, e.g. "it's been a while" or "this is going to take a while", another (conjunction) is synonymous with "whereas", while yet another (conjunction) is "at the same time as". There are three more definitions for that word, one noun, one adverb, and one verb; I'll leave it to you to locate a dictionary and learn them.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The real concern here is that the password is stored in plaintext, or in such a way that it can be reversed to plaintext, in the first place. Sure, they've patched this particular means of accessing that plaintext, but you can still super-cool the RAM (on machines where the RAM is still removable) and transfer it to another machine for analysis, read the plaintext (or reversibly encrypted value) from wherever it is ultimately stored, and, I'm sure, a number of other exploits, some of which may be as covert as this exploit.
There have been successful exploits wherein RAM was read based on fluctuations in mains power measured from another room. Yes, the RAM had to be read several times by the host machine in order for the attacking machine to successfully discern the values, but that just means several reboots, rather than one.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
A plaintext password still exists in case the reader fails (and there are many reasons that it would).
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You need to work on your reading comprehension, because "at that very moment, ,b>at the same time as it is plugged in", while redundant, makes perfect sense.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
HTML fail... "at that very moment, at the same time as it is plugged in"
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
In some respects yes, in others, not so much. Think about a corporate setting where within the context of an office people might leave their machines accessible on a regular basis. They go off to lunch, leave their laptop at their desk. Anybody can now go and grab their laptop, do a hard reboot and extract the passwords. Conveniently, a lot of people probably have filevault passwords that are the same as their network passwords. Now you have another user's network passwords and can do a whole bunch of things on their behalf.
How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?
The other potential exploit for this is to bake it into commercially available Thunderbolt 2 devices. Bribe a janitor to leave stick 100 crafted VGA dongles in meeting rooms of the company you want to infiltrate and have the device send passwords either over the network or via some wireless protocol.
The only way to reboot a locked macOS is to physically turn it off, this pretty much un-powers the memory and removes any trace of a password in there.
From what I understand, it can read the credentials in between the EFI unlocking the disk and the OS loading the VT-d protection, so either you have turned your machine to sleep in between those moments or you have a method of reloading the OS (soft reboot) without the memory in RAM decaying.
Custom electronics and digital signage for your business: www.evcircuits.com
Just how long does it take you to type in your password?
These aren't my definitions, nor are they loose; these are established dictionary definitions, my friend.
I see why you post anonymously.
Regardless, the MAIN issue is that the entire rest of the OPs post was wrong too because it was based on that false statement
I never claimed otherwise, I'm merely attempting to correct your understanding of the English language.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
That's not mathematically possible. This only works for values of 1 that are less than zero.
I started to read and thought "No one could take what I said seriously!" Then I continued, and thought "Well played sir, well played".
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
How on earth is it okay, in 2016, to store plaintext passwords for a file encryption tool?
Now that's a different question, and you are correct - it isn't okay. And it isn't actually okay to have it accessible before the thing finishes booting. My entire argument isn't that it is not a bad thing, just that it isn't a likely thing. And in any even, the issue has been repaired with an update, so only un-updated machines will be at risk. I kinda doubt many of those were encrypted anyhow. Fortunately, I've never had a reason to not update a Mac.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
A plaintext password still exists in case the reader fails (and there are many reasons that it would).
Yup, I use fingerprint ID, and it pops up the password screen upon reboot.
Now wating for someone to start on about how someone can cut off my fingers and access my phone with it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Haha, well, I don't think you'll be disappointed... sadly.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So which moment is he referring to?
You started by attacking his (correct) usage of the word "while". Now, you're attacking his usage of the word "moment". Which is it? Yes, he used one of them incorrectly; I stepped in because you attacked the correct usage, rather than the incorrect one. I also pointed out (separate from the context of the sentence in which "moment" was used incorrectly) that, while redundant, a sentence using both "moment" and "while" can make sense. Note that i did not claim that it made sense in this specific instance, just that the fragment I quoted does, in fact, make sense.
Also, before you say your issue isn't with his use of the word "moment", you literally just wrote:
There's no reference to a ambiguous "moment in time" when something had to happen.
While, on the other hand, you started your argument with the following:
First, the term "while" implies a continuous passage of time.
You'll have to excuse me for thinking you took issue with the usage of the word "while", here.
And, for the record, yes, the way you stated it is clearer; but, then, I never said the original statement was clear. But, of course, it mustn't have been too exceedingly unclear either, as we both appear to be in agreement as to its intended meaning. Yup, clear enough for the average reader to understand.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You missed the part in the video and article where he uses a key combo, cmd-ctrl-power to make the machine reboot without having to be authenticated.
oh really? perhaps you should actually watch the video or read the article.
Better hurry this along you guys, I'm almost out of popcorn...