macOS macbook
December 19, 2016 by

Hacker Exploits MacOS FileVault2 Password in 30 Seconds

Ulf Frisk, a Swedish hacker and penetration tester has revealed a new exploit that any attacker can exploit a macOS FileVault2, even if the Mac computer is in sleep or locked at the time of the exploit.

The technique sees the exploits of two design flaws Frisk discovered last July in Apple’s file encryption software. First, the Mac system inherently does not protect itself against Direct Memory Access (DMA) attacks as a safeguard before macOS is initiated. That’s because the Mac EFI or Extensible Firmware Interface (Mac’s version of a PC BIOS or UEFI allows for Thunderbolt devices to read and write into the computer’s memory before the OS is loaded. This feature in and of itself has now been revealed as a vulnerability.

The second flaw is the way in which the password to the FileVault2 software is stored. While in memory, even if the computer is locked or in sleep mode, FileVault stores the password in clear text. The password is embedded in multiple locations of the memory upon reboot, within a fixed memory range. This process allows for the password to be read by an external device looking for an exploit. DMA protections enabled by macOS are dropped upon a reboot and the contents of the memory, including the password remain where they are. Here, there is a time window lasting a few seconds after which time the memory containing the password is overwritten, with new content. This time frame leaves the macOS ripe for exploit.

In this case, the $300 device called PCILeech does the job, by carrying out a DMA attack to extract FileVault2 passwords from a device’s memory, in clear text.

In no uncertain terms, Frisk writes:

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.

Frisk notified Apple of the exploit on August 15th and the hardware maker confirmed the issue the following day, while asking the hacker to refrain from disclosing the exploit. On December 13, Apple released macOS 10.2.2 with a security update to patch the exploit.

Image credit: Pexels.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward

MacOS Zero-Day Flaw Exposes Passwords in Plaintext

A critical flaw in the newly-released version of macOS, High Sierra, allows rogue applications to...

Read more arrow_forward

First Ever ‘Major Scale’ Mac Malware Hits Users with Phishing Campaign

Security researchers have discovered a new malware program that targets macOS users and is capable...

Read more arrow_forward