Swedish hacker and penetration tester Ulf Frisk has developed a new device that can steal the password from virtually any Mac laptop while it is sleeping or even locked in just 30 seconds, allowing hackers to unlock any Mac computer and even decrypt the files on its hard drive.
Here’s How an Attacker can steal your Mac FileVault2 Password
The researcher devised this technique by exploiting two designing flaws he discovered last July in Apple’s FileVault2 full-disk encryption software.
The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.
It’s because the Mac EFI or Extensible Firmware Interface (similar to a PC’s BIOS) let devices plugged in over Thunderbolt to access memory without enabling DMA protections, which allows Thunderbolt devices to read and write memory.
Secondly, the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.
Dubbed PCILeech and costs approximately $300, the hacking device exploits these two vulnerabilities to carry out DMA attacks and extract Mac FileVault2 passwords from a device’s memory in clear text before macOS boots, and anti-DMA protections come into effect.
Video Demonstration of the Attack
Frisk also provided a video demonstration, which shows how he just plugged in a card flashed with his open source PCILeech software tool into the Mac’s Thunderbolt port, which ran the hacking tool on the target Mac or MackBook, rebooted the system, and read the Mac password on the other laptop.
Yes, the attack only works if an attacker has physical access to a target Mac or MacBook, but all it takes is just 30 seconds to carry out successfully.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down,” Frisk explained in a blog post on Thursday.
“If the Mac is sleeping it is still vulnerable. Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!”
Frisk reported his findings to Apple in August and the company fixed the issues in macOS 10.12.2 released on 13 December.
So Apple desktop users are required to update their devices to the latest version of its operating system to be safe.