Apple Fixes MacBook Data Leak

Wednesday, December 21, 2016 @ 11:12 AM gHale

Apple fixed an issue where a simple inexpensive device could leverage a vulnerability in the macOS to obtain a MacBook FileVault password, a researcher said.

FileVault 2 is a full-disk encryption program that uses XTS-AES-128 encryption with a 256-bit key to prevent unauthorized access to the information on the startup disk.

Apple Patches Holes in Devices
Vulnerabilities Patched in Sierra
Mac App Keeps Recording
Attackers Leverage iOS WebView

An attacker with physical access to a locked or sleeping MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted system’s Thunderbolt port, said Sweden-based researcher Ulf Frisk.

These attacks are possible because of two vulnerabilities.

One is direct memory access (DMA) attack protections are enabled by default once macOS has started, however, these protections are not active before the operating system has booted. This allows an attacker to read and write memory from a MacBook by connecting a Thunderbolt device.

Since the FileVault 2 password ends up stored in clear text in memory at predictable locations, software running on the Thunderbolt device can retrieve the password from memory before it ends up overwritten. The attacker must gain access to a locked or sleeping MacBook, connect the Thunderbolt device and reboot the computer. The attack does not work if the targeted MacBook has been shut down as the password is no longer available in memory.

“Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds,” Frisk said.

The device that can carry out the attack is the PCILeech, and its source code and hardware requirements have been made available by Frisk.

Frisk tested the attack on multiple MacBook and MacBook Air computers with Thunderbolt 2 ports. The attack has not been verified on devices with USB-C.

“The solution Apple decided upon and rolled out is a complete one. At least to the extent that I have been able to confirm. It is no longer possible to access memory prior to macOS boot. The mac is now one of the most secure platforms with regards to this specific attack vector,” Frisk said in a blog post, which also has a video showing the attack method.

Leave a Reply

You must be logged in to post a comment.