This $300 Device Lets You Steal A Mac Encryption Password in 30 Seconds
If you’re worried about someone messing with your Mac when it’s unattended, patch!
A picture of Ulf Frisk's PCILeech device connected to a MacBook Air. (Image: Ulf Frisk)
If you're paranoid, and you know what hackers can do when they can get their hands on your computer even for just a few moments, you probably already know that you shouldn't leave your laptop unattended.
Now, if you're an Apple user, you have another great reason not to do that.
Using a contraption that costs around $300 and some open source software, a hacker could steal your MacBook password from your own laptop while it's sleeping or locked in just 30 seconds. This would allow them to unlock the computer and even decrypt the files on your hard drive. In other words, game over.
Ulf Frisk, a Swedish hacker and penetration tester, devised this technique to highlight a flaw in the way MacOS protects the password that's used to decrypt the hard drive with FileVault, Apple's full-disk encryption software.
"It's more or less plug and play."
As it turns out, Macs stores the password in memory in cleartext. And they don't scrub it from memory when the computer is in sleep mode or locked. And even when the computer gets rebooted "there is a time window of a few seconds before the memory containing the password is overwritten with new content," according to Frisk, who explained how his technique works in a blog post on Thursday.
The other problem, Frisk explained, is that the Mac EFI, the computer's core firmware (similar to a PC's BIOS), allowed devices plugged in over Thunderbolt to access memory, without enabling Direct Memory Access (DMA) protections.
As Frisk shows in the video embedded above, all a malicious hacker would need to do is plug in a card connected to an adapter and flashed with Frisk's open source PCILeech software tool into the Mac's Thunderbolt port. Then, run the PCILeech on a laptop connected to the contraption, reboot the Mac, and read the Mac password on the other laptop.
"It's more or less plug and play. It's really as easy as shown on the video," Frisk told Motherboard in a Twitter chat. "I imagine unpatched Macs will be super interesting for law enforcement and various spy agencies."
The good news is that on Tuesday Apple released a patch for MacOS that makes this attack impossible, according to Frisk.
Apple did not immediately respond to a request for comment but Xeno Kovah, a security researcher who works at Apple, tweeted that MacOS 10.12.2 fixed this issue. Kovah also suggested setting a firmware password to make your laptop or computer even more secure against physical attacks.
"To patch it is the only way to mitigate this really, but other attacks, (evil maid scenario) are also possible unless you set the firmware password," Frisk said. "If you both patch and set the firmware password you should be really secure."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.