macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.

Re:Duh!

[fluffernutter]

That's an awfully obscure point to know for an OS that is supposed to both be secure and 'just work'. Put those two together, and security should just work, not require you to understand this distinction. Your comment amounts to, "you're encrypting it wrong".

Re:Wait. What?

[Pieroxy]

> these cached thumbnails are stored on non-
> encrypted hard drives, ... content stored on
> encrypted containers.

This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.

I guess the issue is when you have your laptop drive not encrypted and you connect an encrypted USB-stick on it. It then creates thumbnails of what's on your USB stick and store them on your unencrypted system drive.

No need to be an expert. Common sense is enough.

Re:Duh!

[fluffernutter]

Doesn't matter, it shouldn't be on option to be left open. It might be ok if it explained that "Apple reserves the right to copy any data from another device to your system drive so do not assume all data is encrypted unless your system drive is encrypted". But I doubt it says that, because that alone would be confusing to people, so they should just not automatically copy data off an encrypted drive, period.

Re:Duh!

[I'm+New+Around+Here]

and then when it crashes and you can't slave it into another system to get data from it, you're hosed.

Re:Wait. What?

[guruevi]

But that is true for anything. If you plug in an encrypted drive in an insecure system and decrypt it, the encryption doesn't matter. Your memory could be swapped to disk at any point in time regardless of your OS. Hence the need for FDE.

Re:Here's a pwned 133t h4x0r link to the OS X kern

[jeremyp]

Which has nothing to do with this. The thumbnails are not created by the kernel but by the Finder, which is not open source.

Thought APFS could fix this...

[ctilsie242]

One of APFS's features is allowing for multiple keys per volume. What Apple should have done is store the cache data, but keyed to both the encrypted volume being used, as well as the system volume. This way, if there is no system volume encryption, things are protected still. If there is, it would require two keys to get to the caching info.

Hopefully this can be fixed. Apple comes up with some great stuff, but then misses the mark with other places.