Slashdot Mirror

← Back to Stories (view on slashdot.org)

A $300 Device Can Steal Mac FileVault2 Passwords (bleepingcomputer.com)

Posted by BeauHD on from the 30-seconds-or-less dept.

An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.

9 of 88 comments (clear)

  1. Re:Even worse by brantondaveperson · · Score: 4, Interesting

    No, this type of attack is very serious. Someone that leaves their laptop unattended for a short period of time can find their password stolen, without them realising anything other than that their laptop was mysteriously rebooted while they were on the loo.

  2. Re:$300...Really??? by guruevi · · Score: 3, Informative

    The $300 device can also do the following:

    Retrieve memory from the target system at >150MB/s.
    Write data to the target system memory.
    4GB memory can be accessed in native DMA mode.
    ALL memory can be accessed if kernel module (KMD) is loaded.
    Execute kernel code on the target system.
    Spawn system shell [Windows].
    Spawn any executable [Windows].
    Load unsigned drivers [Windows].
    Pull files [Linux, FreeBSD, Windows, macOS].
    Push files [Linux, Windows, macOS].
    Patch / Unlock (remove password requirement) [Windows, macOS].

    All of the above does not work in latest macOS and Linux, works in pretty much any older Linux or Windows version, protection feature set for Windows only available in Windows Enterprise.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  3. Re:Even worse by TechyImmigrant · · Score: 4, Insightful

    The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

    Substitute 'thief' with 'police' and you can see why it might be a problem for some people.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. From the article by berj · · Score: 4, Informative

    December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware - like my MacBook Air.

    Conclusion
    The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm. It is no longer possible to access memory prior to macOS boot. The mac is now one of the most secure platforms with regards to this specific attack vector.

    So, it seems that this door has been closed as of 10.12.2

    Remains to be seen if those machines that don't support 10.12 Sierra will get patches for their latest supported macOS version, of course.

    1. Re:From the article by Skuld-Chan · · Score: 3, Interesting

      Apple doesn't release security fixes for major bugs on previous OS's for the most part. As an exception and a lesson on how Apple deals with security issues - check out the history of the rootpipe exploit.

      And yes - they did eventually fix that on previous versions of the OS after security experts shamed them publicly - almost a year later. Rootpipe was one of the worst security vulnerabilities - privilege escalation - and you can see how seriously they took it.

  5. Re:Even worse by AHuxley · · Score: 3, Interesting

    Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.
    The top of the laptop can be seen, the rest is partial hidden. The user hears a boot sequence twice but is not asked to log in.
    A power on test with boot screen is all that is asked for.
    Your devices password, MAC and other details are now known to the security services on entry to a nation.
    The hotel is listed. Could the password be the same at work or home, back in the users own nation?
    The cost of getting into an Apple device is now very low and can be done while powering up a laptop and keeping a user distracted for a short time by a second person.
    On return the user is sure they never had the laptop out of their sight and it was never accessed by office staff, hotel staff or any strangers. They keep on using the same laptop, OS and password.

    --
    Domestic spying is now "Benign Information Gathering"
  6. Re:Even worse by Ol+Olsoc · · Score: 5, Insightful

    Think of having an Apple device taken by the security services at an airport. The laptop is turned on behind a secure counter with an extra hidden device plugged in.

    Think of doing the system update.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  7. Re:How was that fixed? by guruevi · · Score: 3, Informative

    The 'hack' is prevented by enabling VT-d (basically virtualization of the PCIe devices) which prevents PCIe devices to have direct access to the hypervisor's memory.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  8. Re:Even worse by Flytrap · · Score: 3, Informative

    The bigger issue is that anyone who leaves their laptop unattended for a short period of time can have their laptop stolen, and the thief can actually gain access to it.

    This is not true... as the article clearly states:

    Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in.

    Therefore simply leaving your laptop unattended is not going to automagically disable the built-in anti-DMA protections that kick in during the boot up process and enable a passerby with PCILeech to steal your password and access your encrypted disk.

    To gain access to your MacBook, the attacker needs to have the PCILeech plugged into a Thunderbolt 2 port when the computer is first switched on to perform a cold boot and you need to be running an unpatched pre-16C63a build of macOS and you need to login with your password at that very moment while it is plugged in. The prototype PCILeech is much bulkier than a spy camera and has to be plugged into the computer (and its own power source) while you are logging in in order to extract the password from memory... so it is highly unlikely that you are not going to notice this big external hard disk-like looking device plugged into your computer when you return from a bathroom break.

    However, immunity from the PCILeech hack is free and easy... just upgrade to macOS 10.12.2

    From the Article:

    "The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm," Frisk said. "It is no longer possible to access memory prior to macOS boot. The Mac is now one of the most secure platforms with regards to this specific attack vector."