macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com)

Posted by msmash on Monday June 18, 2018 @02:40AM from the security-woes dept.

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.

24 of 140 comments (clear)

Min score:

Reason:

Sort:

Duh! by Anonymous Coward · 2018-06-18 02:48 · Score: 2, Informative

The problem is that these cached thumbnails are stored on non-encrypted hard drives
Unless, of course, your system drive is encrypted. Which is one of the first suggestions macOS will give you when you boot your mac for the first time. If you are worried about this kind of thins chances are your system drive will be encrypted and this chache stuff won't be a problem at all.
1. Re:Duh! by fluffernutter · 2018-06-18 03:07 · Score: 4, Insightful
  
  That's an awfully obscure point to know for an OS that is supposed to both be secure and 'just work'. Put those two together, and security should just work, not require you to understand this distinction. Your comment amounts to, "you're encrypting it wrong".
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
2. Re:Duh! by fluffernutter · 2018-06-18 03:13 · Score: 4, Insightful
  
  Doesn't matter, it shouldn't be on option to be left open. It might be ok if it explained that "Apple reserves the right to copy any data from another device to your system drive so do not assume all data is encrypted unless your system drive is encrypted". But I doubt it says that, because that alone would be confusing to people, so they should just not automatically copy data off an encrypted drive, period.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
3. Re:Duh! by I'm+New+Around+Here · 2018-06-18 03:19 · Score: 5, Insightful
  
  and then when it crashes and you can't slave it into another system to get data from it, you're hosed.
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
4. Re:Duh! by Anonymous Coward · 2018-06-18 04:02 · Score: 2, Insightful
  
  I live in a universe where the same people come to me each month for their email password. Let those people buy Macs with default encryption? They exist everywhere and you would have a PR nightmare. C'mon, this isn't a dreamworld we get to live in.
Re:Does Windows Explorer do it differently, or Lin by Kenja · 2018-06-18 02:52 · Score: 2

Well... Windows creates them on the drive itself. But I thought that was what MacOS was doing as well so I could be totally off on that.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Re:Does Windows Explorer do it differently, or Lin by Anonymous Coward · 2018-06-18 02:55 · Score: 2, Insightful

The difference is you can find out exactly what a Linux file manager does, while how MacOS works is a proprietary trade secret.
But RedHad sqandered that advantage with systemd and Gnome 3
Wait. What? by SvnLyrBrto · 2018-06-18 03:00 · Score: 3, Insightful

> these cached thumbnails are stored on non-
> encrypted hard drives, ... content stored on
> encrypted containers.
This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.

--
Imagine all the people...
Re:so if I understand correctly... by AHuxley · 2018-06-18 03:02 · Score: 2

To make the GUI look nice and have the GUI be more responsive sooner the OS has a nice easy way to show the thumbnails on file the user looks over in their encrypted external drive.
More at the linked "Cache Me Outside" AC.
https://objective-see.com/blog...

--
Domestic spying is now "Benign Information Gathering"
Re:Surreptitious? by AHuxley · 2018-06-18 03:08 · Score: 2

The reason to use encryption is so that other people don't know what's in files. Keeping aspects of whats encrypted in the open on an OS gets around what file encryption should support.

Used by forensics experts for some time, would it not be a place for governments and government created malware to look too?
Encryption becomes a joke.

--
Domestic spying is now "Benign Information Gathering"
Re:Surreptitious? by fluffernutter · 2018-06-18 03:08 · Score: 2

This amounts to copying data from one device to another without the user knowing. This is just plain bad design and you are being an Apple apologist.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Re:Wait. What? by Pieroxy · 2018-06-18 03:10 · Score: 5, Informative

> these cached thumbnails are stored on non-
> encrypted hard drives, ... content stored on
> encrypted containers.
This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.
I guess the issue is when you have your laptop drive not encrypted and you connect an encrypted USB-stick on it. It then creates thumbnails of what's on your USB stick and store them on your unencrypted system drive.
No need to be an expert. Common sense is enough.

--
Write boring code, not shiny code!
Re:Does Windows Explorer do it differently, or Lin by fluffernutter · 2018-06-18 03:20 · Score: 3, Insightful

I'm pretty sure users have to wait a whole second for the thumbnails to be generated if the Thumbs.db file cannot be written to the media.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Re:Does Windows Explorer do it differently, or Lin by EvilSS · 2018-06-18 03:20 · Score: 3, Informative

I can understand the security concern about thumbnail data especially encrypted data. But for other systems with the feature Including Windows and Some Linux file managers, Do they handle it differently?
On Windows it uses thumbs.db, a hidden system file located in each folder that has thumbnails cached (not all do if they don't contain documents or images that get preview thumbsnails). You can also turn thumbnail caching off in explorer settings or via group policy.

--
I browse on +1 so AC's need not respond, I won't see it.
Re:Does Windows Explorer do it differently, or Lin by Actually,+I+do+RTFA · 2018-06-18 03:27 · Score: 3, Informative

Windows creates the thumbnails in a subdirectory of the original, so it should also be encrypted (or maybe it doesn't anymore.) And I believe the index is per drive. At any rate, there is a checkbox for "turn off thumbnails" and "turn off indexing" on a drive.

--
Your ad here. Ask me how!
Re:Surreptitious? by fluffernutter · 2018-06-18 03:27 · Score: 3

So someone who doesn't know how their computer works and said 'no' to encrypting their system drive doesn't have a right to benefit from security if someone gives them an encrypted drive to use? Honestly, I know about computers and I wouldn't have thought of this. I know I don't have anything on my system drive that I need encrypted, but I do know how to make an encrypted flash drive and do use them occasionally. I never would have thought of this.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Re:Wait. What? by guruevi · 2018-06-18 03:44 · Score: 5, Interesting

But that is true for anything. If you plug in an encrypted drive in an insecure system and decrypt it, the encryption doesn't matter. Your memory could be swapped to disk at any point in time regardless of your OS. Hence the need for FDE.

--
Custom electronics and digital signage for your business: www.evcircuits.com
Re:Here's a pwned 133t h4x0r link to the OS X kern by jeremyp · 2018-06-18 03:46 · Score: 4, Informative

Which has nothing to do with this. The thumbnails are not created by the kernel but by the Finder, which is not open source.

--
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Re:Does Windows Explorer do it differently, or Lin by Anonymous Coward · 2018-06-18 04:12 · Score: 2, Insightful

~/.cache/thumbnails -> /dev/null
Thought APFS could fix this... by ctilsie242 · 2018-06-18 04:19 · Score: 4, Interesting

One of APFS's features is allowing for multiple keys per volume. What Apple should have done is store the cache data, but keyed to both the encrypted volume being used, as well as the system volume. This way, if there is no system volume encryption, things are protected still. If there is, it would require two keys to get to the caching info.
Hopefully this can be fixed. Apple comes up with some great stuff, but then misses the mark with other places.
Re:Does Windows Explorer do it differently, or Lin by gweihir · 2018-06-18 04:28 · Score: 2

Linux does not cache things on disk. The only risk is swap, which you just encrypt at boot with a new, random key every boot.
Applications may do something else though.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re: Does Windows Explorer do it differently, or Li by reanjr · 2018-06-18 05:01 · Score: 2

All modern filesystems (HPFS+, NTFS, ext4) support metadata. The issue isn't with the filesystems, it's with the tools and apps built on top. Most importantly, each FS has its own way of reading/writing metadata, so no cross platform tools can readily take advantage.
Re:Does Windows Explorer do it differently, or Lin by war4peace · 2018-06-18 06:11 · Score: 2

Chrome stubbornly takes webpage screenshots and uses them as thumbnails for the websites I visit, including but not limited to my private NAS (which can display file names) and my banking website (which can display very sensitive data).

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Re: Does Windows Explorer do it differently, or Li by samwichse · 2018-06-18 07:21 · Score: 2

So do Konqueror, Dolphin, and Thunar.
To ~/.thumbnails