macOS macbook
December 19, 2016 by

Hacker Exploits MacOS FileVault2 Password in 30 Seconds

Ulf Frisk, a Swedish hacker and penetration tester has revealed a new exploit that any attacker can exploit a macOS FileVault2, even if the Mac computer is in sleep or locked at the time of the exploit.

The technique sees the exploits of two design flaws Frisk discovered last July in Apple’s file encryption software. First, the Mac system inherently does not protect itself against Direct Memory Access (DMA) attacks as a safeguard before macOS is initiated. That’s because the Mac EFI or Extensible Firmware Interface (Mac’s version of a PC BIOS or UEFI allows for Thunderbolt devices to read and write into the computer’s memory before the OS is loaded. This feature in and of itself has now been revealed as a vulnerability.

The second flaw is the way in which the password to the FileVault2 software is stored. While in memory, even if the computer is locked or in sleep mode, FileVault stores the password in clear text. The password is embedded in multiple locations of the memory upon reboot, within a fixed memory range. This process allows for the password to be read by an external device looking for an exploit. DMA protections enabled by macOS are dropped upon a reboot and the contents of the memory, including the password remain where they are. Here, there is a time window lasting a few seconds after which time the memory containing the password is overwritten, with new content. This time frame leaves the macOS ripe for exploit.

In this case, the $300 device called PCILeech does the job, by carrying out a DMA attack to extract FileVault2 passwords from a device’s memory, in clear text.

In no uncertain terms, Frisk writes:

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.

Frisk notified Apple of the exploit on August 15th and the hardware maker confirmed the issue the following day, while asking the hacker to refrain from disclosing the exploit. On December 13, Apple released macOS 10.2.2 with a security update to patch the exploit.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward