Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

MacBooks Leak Disk Encryption Password

Apple recently addressed a vulnerability in its macOS operating system that can be exploited by an attacker to obtain a MacBook’s FileVault password using a $300 device.

Apple recently addressed a vulnerability in its macOS operating system that can be exploited by an attacker to obtain a MacBook’s FileVault password using a $300 device.

The issue was discovered by Sweden-based researcher Ulf Frisk at the end of July. Apple was notified about the flaw in mid-August and patched it earlier this month with the release of macOS 10.12.2.

FileVault 2 is a full-disk encryption program that uses XTS-AES-128 encryption with a 256-bit key to prevent unauthorized access to the information on the startup disk. Frisk has demonstrated that an attacker with physical access to a locked or sleeping MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted system’s Thunderbolt port.

According to the expert, these attacks are possible due to two vulnerabilities. One of them is related to the fact that while direct memory access (DMA) attack protections are enabled by default once macOS has started, these protections are not active before the operating system has booted. This allows an attacker to read and write memory from a MacBook by connecting a Thunderbolt device.

Since the FileVault 2 password is stored in clear text in memory at predictable locations, software running on the Thunderbolt device can retrieve the password from memory before it is overwritten. The attacker must gain access to a locked or sleeping MacBook, connect the Thunderbolt device and reboot the computer. The attack does not work if the targeted MacBook has been shut down as the password is no longer available in memory.

 

The device that can be used to carry out such an attack has been dubbed PCILeech, and its source code and hardware requirements have been made available by Frisk. The expert said he tested the attack on multiple MacBook and MacBook Air computers with Thunderbolt 2 ports. The attack has not been verified on devices with USB-C.

Advertisement. Scroll to continue reading.

“The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm. It is no longer possible to access memory prior to macOS boot. The mac is now one of the most secure platforms with regards to this specific attack vector,” Frisk said in a blog post.

The expert has been analyzing the impact of DMA attacks on Linux, Windows and OS X kernels. He detailed his findings earlier this year at the DEF CON conference, including the PCILeech device, but the FileVault issues were not mentioned in his presentation.

Related: “PoisonTap” Device Can Hack Password-Protected Computers

Related: Apple Confirms Weakened Security in Local iOS 10 Backups

Related: Attackers Can Hack Apple Devices Using Image Files

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.