Menu
Apple's macOS file encryption easily bypassed without the latest fixes

Apple's macOS file encryption easily bypassed without the latest fixes

Custom-made Thunderbolt devices can be used to extract the encryption password from locked Macs

Without the macOS update released this week, Apple's disk encryption can be easily defeated by connecting a specially crafted device to a locked Macbook.

The attack is possible because devices connected over Thunderbolt can access the computer's RAM directly before the OS is started through the direct memory access (DMA) feature. The DMA mechanism is typically used by disk drive controllers, graphics cards, network cards, and sound cards because accessing the memory through the CPU would otherwise keep the processor busy and unavailable for other tasks.

Apple's macOS has DMA protections, but they only kick in when the OS is running. However, the EFI (Extensible Firmware Interface) -- the modern BIOS -- initializes Thunderbolt devices at an early stage in the boot process and this enables them to use DMA before the OS is started, security researcher Ulf Frisk said in a blog post.

The second problem is that the password for Apple's FileVault 2 disk encryption is stored in memory in plain text if the disk has been unlocked once. This means that when a Mac has its screen locked or returns from a sleep state, the password will still be in memory.

Furthermore, the password doesn't get scrubbed from memory on reboot and is only shifted around to a different location within a fixed memory range, according to Frisk. The only time the password is removed from memory is when the Mac is shut down because that's when RAM contents are completely cleared.

The researcher created a hardware device running his custom software that he dubbed PCILeech. The device is capable of extracting FileVault passwords via DMA.

"This makes it easy to just plug in the DMA attack hardware and reboot the Mac," Frisk said. "Once the Mac is rebooted the DMA protections that macOS previously enabled are dropped. The memory contents, including the password, is still there, though. There is a time window of a few seconds before the memory containing the password is overwritten with new content."

Frisk presented DMA-based attacks against the Linux, Windows, and OS X kernel at the DEF CON security conference in August, but he discovered the implications for Apple's disk encryption after his presentation. He kept his findings secret until now at Apple's request.

The researcher confirmed that the macOS Sierra 10.12.2 update released this week fixes the security issue, at least on his MacBook Air.

"The solution Apple decided upon and rolled out is a complete one," Frisk said. "At least to the extent that I have been able to confirm. It is no longer possible to access memory prior to macOS boot. The mac is now one of the most secure platforms with regards to this specific attack vector."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments