Hacker Exploits MacOS FileVault2 Password in 30 Seconds

macOS macbook

Ulf Frisk, a Swedish hacker and penetration tester has revealed a new exploit that any attacker can exploit a macOS FileVault2, even if the Mac computer is in sleep or locked at the time of the exploit.

The technique sees the exploits of two design flaws Frisk discovered last July in Apple’s file encryption software. First, the Mac system inherently does not protect itself against Direct Memory Access (DMA) attacks as a safeguard before macOS is initiated. That’s because the Mac EFI or Extensible Firmware Interface (Mac’s version of a PC BIOS or UEFI allows for Thunderbolt devices to read and write into the computer’s memory before the OS is loaded. This feature in and of itself has now been revealed as a vulnerability.

The second flaw is the way in which the password to the FileVault2 software is stored. While in memory, even if the computer is locked or in sleep mode, FileVault stores the password in clear text. The password is embedded in multiple locations of the memory upon reboot, within a fixed memory range. This process allows for the password to be read by an external device looking for an exploit. DMA protections enabled by macOS are dropped upon a reboot and the contents of the memory, including the password remain where they are. Here, there is a time window lasting a few seconds after which time the memory containing the password is overwritten, with new content. This time frame leaves the macOS ripe for exploit.

In this case, the $300 device called PCILeech does the job, by carrying out a DMA attack to extract FileVault2 passwords from a device’s memory, in clear text.

In no uncertain terms, Frisk writes:

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.

Frisk notified Apple of the exploit on August 15th and the hardware maker confirmed the issue the following day, while asking the hacker to refrain from disclosing the exploit. On December 13, Apple released macOS 10.2.2 with a security update to patch the exploit.

Image credit: Pexels.