Slashdot Mirror
A $300 Device Can Steal Mac FileVault2 Passwords (bleepingcomputer.com)
An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
So I can go and buy a device for which the way in has already been fixed? Sounds pretty awesome to me. I know not everyone will be updated immediately, but it seems like Mac folks usually do keep up with them.
Agile Spaceport - You will never find a more wretched hive of scrum and villainy. We must be cautious.
No, this type of attack is very serious. Someone that leaves their laptop unattended for a short period of time can find their password stolen, without them realising anything other than that their laptop was mysteriously rebooted while they were on the loo.
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
Substitute 'thief' with 'police' and you can see why it might be a problem for some people.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
So, it seems that this door has been closed as of 10.12.2
Remains to be seen if those machines that don't support 10.12 Sierra will get patches for their latest supported macOS version, of course.
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
The top of the laptop can be seen, the rest is partial hidden. The user hears a boot sequence twice but is not asked to log in.
A power on test with boot screen is all that is asked for.
Your devices password, MAC and other details are now known to the security services on entry to a nation.
The hotel is listed. Could the password be the same at work or home, back in the users own nation?
The cost of getting into an Apple device is now very low and can be done while powering up a laptop and keeping a user distracted for a short time by a second person.
On return the user is sure they never had the laptop out of their sight and it was never accessed by office staff, hotel staff or any strangers. They keep on using the same laptop, OS and password.
Domestic spying is now "Benign Information Gathering"
how is this device similar to Poison Tap? Poison Tap used USB to mimic a network device and conduct a MITM attack harvesting cookies etc. from the outgoing network traffic on a powered computer with a web browser. Frisk's exploit uses a thunderbolt connection to dump a booting mac's memory before OSX is started.
Isn't that like saying 2 is greater than 2+1 ?
For extremely large values of 2 it is.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
Think of doing the system update.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The 'hack' is prevented by enabling VT-d (basically virtualization of the PCIe devices) which prevents PCIe devices to have direct access to the hypervisor's memory.
Custom electronics and digital signage for your business: www.evcircuits.com
The Def Con talk is quite informative regarding tools and methods ... OS X starts around 30:00 mark.
https://www.youtube.com/watch?...
He accesses memory of a running system kernel using a variation of the pcileech and then uses Volatility to examine the dump. I guess the key is that "the FileVault password is stored in clear text in memory and that it's not automatically scrubbed from memory once the disk is unlocked." No need to do anything prior to OS load, except set a boot flag, and he's leveraging an earlier device called Slotscreamer. Still impressive, especially pulling /etc/shadow and pushing it back onto an encrypted drive via DMA at the end of his talk.
100 REM PISS OFF CODE FASCISTS 200 GOTO 100
The 'hack' requires the device to be plugged in while the user types in the password. It's an advanced type of key logger but requires a huge chunk of hardware to be attached.
NO it doesn't and isn't a key logger. The attack requires you to have simply left your machine either turned on or asleep, someone walks up to it and plugs this into the thunderbolt port and then reboots. They now have the credentials and can remove the device and walk away leaving you none the wiser except that your machine rebooted (not exactly an uncommon occurance).
The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.
This is not true... as the article clearly states:
Therefore simply leaving your laptop unattended is not going to automagically disable the built-in anti-DMA protections that kick in during the boot up process and enable a passerby with PCILeech to steal your password and access your encrypted disk.
To gain access to your MacBook, the attacker needs to have the PCILeech plugged into a Thunderbolt 2 port when the computer is first switched on to perform a cold boot and you need to be running an unpatched pre-16C63a build of macOS and you need to login with your password at that very moment while it is plugged in. The prototype PCILeech is much bulkier than a spy camera and has to be plugged into the computer (and its own power source) while you are logging in in order to extract the password from memory... so it is highly unlikely that you are not going to notice this big external hard disk-like looking device plugged into your computer when you return from a bathroom break.
However, immunity from the PCILeech hack is free and easy... just upgrade to macOS 10.12.2
From the Article:
Exposing my own naïveté, I have to say I'm always flabbergasted when the real hacks are easier and quicker than the stuff they claim to do in TV shows.
Fill them with epoxy
Apple is already working on that by designing hardware completely devoid of any external connections in order to sell iVulcan, the data melding tech that will only cost you $599 more (dongles not included)
Why is this post marked informative? It's wrong; and it's wrong in a critical way as far as I can tell. The video shows the password extract being done immediately on reboot, NOT after the user types in his password. The password was entered later just to demonstrate that the correct password was extracted.
So pretty much, yeah, the OP was actually correct his in concern. Walk away from the laptop, someone swoops in, reboots, grabs your password and the deed is done.
Bit confused about the disclosure timeline on this one - issue found, then presented at a conference to the public with videos recorded etc, THEN apple notified and they say "don't tell anyone yet!!!!" - but everyone had already been told at DEF CON. How does that work?
TheHustler
http://www.elmarko.org/ - Useless bilge
http://www.asylum-games.co.uk/ - Co-Founder