Mac FileVault 2's full disk encryption can be bypassed in less than 40 minutes

Filed Under: Apple, Privacy

FileVault 2California-based forensics software vendor Passware has released the latest version of its toolkit, which the company claims can bypass Apple's FileVault 2 disk encryption "in minutes," as well as volumes encrypted with TrueCrypt.

The software is reportedly able to capture the contents of a computer's memory via FireWire (also known as IEEE 1394 or i.LINK), analyze the memory dump, and extract the encryption keys. Passware claims that the software can recover passwords from decrypted Mac OS X keychain files as well.

Previous and current versions of Passware's software are also able to bypass Microsoft's BitLocker encryption which is built into some editions of Windows.

Although Passware seems to mainly market its software to government and law enforcement agencies and military organizations, anyone with US $795 can purchase an edition of Passware Kit that includes these features. Interestingly, Passware also lists Apple, Microsoft, Intel, and several other major tech companies among its customers.

For those who might find all this concerning, it is important to note a few important caveats.

First, Passware's software requires physical access to a computer with a working FireWire port; a remote internet attacker cannot use it to break into your Mac or PC.

AppleInsider reports that turning off your computer rather than putting it to sleep - and of course ensuring that automatic login is disabled - will prevent passwords from being stored in RAM and thus prevent them from being recoverable.

Passware's site and press release do not mention Sophos SafeGuard full-disk encryption, but it would be wrong to infer that Sophos's solution and many others out there are immune to FireWire DMA attacks

The concept and practice of exploiting machines locally via a FireWire port has been around for several years.

In 2008, Sophos reported about Winlockpwn, a utility that can unlock a live Windows system via FireWire. Security experts have postulated that similar exploits might be possible via Thunderbolt ports, which have become a standard feature on recent Macs and will become available on PCs later this year.

Updated: This article was updated to clarify that many full disk encryption products could be vulnerable to Firewire DMA attacks.

, , , , ,

You might like

19 Responses to Mac FileVault 2's full disk encryption can be bypassed in less than 40 minutes

  1. Machin Shin · 932 days ago

    This at first glance seems to be very bad news until you start adding up how many conditions have to be just right. To use this software they have to grab your computer from you while it is turned on and logged in. Then they have to have access to a firewire port.

    For most people with a PC that is not a concern because so few PCs have firewire. Then you realize all you need to thwart this is to keep your computer turned off when not in use. The idea of getting the keys out of memory has actually been around for some time now.

    I remember watching a podcast about a year ago that was talking about doing a memory dump to USB drives. They had found you can reboot a computer and start it from the flash drive with a special program to dump the memory to the drive. The idea was you would get the encryption keys.

    They also found that you can shut a computer down and by chilling the memory you have a few seconds and can actually move it to a specially built rig to dump the memory.

    All these things are things guys were doing in their spare time with junk parts they had in their room. No $800 worth of sorry software needed.

    • Nico · 932 days ago

      pretty easy to get and buy a USB2/3 -> firewire port. So just having access to a sleeping or online computer/mac should be enough...
      Usually firewire gets installed automatically by the OS, so there's no need to manually install drivers or anything like that..
      Concerning the $ 800 software... there's loads of software that sells for $ 5 or less that i would never want to install on my PC either...
      But yeah... if you got a colluege that left the company, but did leave its computer on (but encrypted it) i can definitely imagine companies gladly paying the $800 to be able to access the system. On consumer level: of course no one would buy this.
      I do think that this is a bad thing (and again i'm glad i dont have/use a mac) that a file encryption (which is made to be secure and shouldn't give others' access to it) can be taken down in less than an hour. In that case it's always worth a shot... wouldnt cost too much precious time.

      • Machin Shin · 931 days ago

        My point was more that this exact thing has been around a long time. There is free software out there that does this. The company acts like this is new high tech stuff. It is something hackers have been doing for over a year now.

        The only advance I have seen with this is that you leave the computer running. The previous tools required you to pull the power suddenly and act fast. One version you booted from USB and it would dump memory to the USB drive. That meant you lost a little of the memory.

        The way you could get all of the memory involved using canned air to freeze the memory when you yank the power. You then move the memory to a specially built computer that dumps the memory to a drive. By cooling the ram quickly it will hold the memory for a short time without power.

      • Shane · 929 days ago

        "pretty easy to get and buy a USB2/3 -> firewire port"

        This could not achieve the same result, because the requirement is for the firewire controller to be directly connected to the systems main memory bus and be DMA bus master capable.

        In your proposed scenario with a a USB controller between the firewire controller and system memory, the firewire controller would not be able to read system memory independently of the OS, simply because it is not directly attached to the system memory bus.

  2. Michael · 932 days ago

    The encryption itself wasn't exactly broken. It's the usual problem of managing the cryptographic keys and trying to implement the system properly. I can't believe Apple overlooked something as obvious as pulling the keys from system memory through FireWire.

    • Shane · 929 days ago

      "I can't believe Apple overlooked something as obvious as pulling the keys from system memory through FireWire."

      If Firewire hardware is enabled, then it is not possible to prevent reading from or writing to system memory, even at Ring 0.

      Firewire devices can read and write system memory without OS intervention and cannot be stopped.

      The only real solution, is to disable Firewire from being enabled in the first place.
      http://en.wikipedia.org/wiki/Computer_security_co...

  3. I am less sanguine about this than Machin Shin.

    The majority of people suspend their machines a good part of the time when not in use. When suspended the disk is effectively unencrypted (or rather the machine has the decryption set in memory to allow access). Even if you have logged out (suspended or not) the disk is still available to the OS, and so the decryption keys or equivalent (expanded key schedule maybe) will likely be in memory.

    Basically, if the machine can be bought to an operating (not necessarily logged in) state, with the firewire port accessible then memory can be grabbed and the key (or equivalent) extracted.

    Yes, you can defend by turning the laptop right off - for me thats the difference between 5 seconds to get a session back, or several minutes (Lion does not appear to boot particularly fast in full disk encryption mode - you may get a basic window quite quickly, but its not realistically usable for a while after).

    A defence against this would be to wipe the encryption keys & similar ephemera on suspend, and kick back to the boot partition type login on unsuspend which would then allow you to put in a password, get back access to the disk, and then unsuspend the other processes.

  4. Keith Rose · 932 days ago

    If the attacker has physical access to a logged in Mac, wouldn't it typically be easier to crack the screen lock (assuming one is enabled)? At that point, the decrypted volume is mounted and available anyway.

  5. Brian · 931 days ago

    I don't use firewire so the solution is simple:

    sudo rm -rf /System/Library/Extensions/IOFireWireFamily.kext/

  6. WT · 931 days ago

    If the attacker has that complete of access to the whole machine, wouldn't it be easier and cheaper to install a $5 key capture program and get the actual password? Then you don't even need the firewire port.

  7. Interested · 931 days ago

    This sort of attack appears to be thwartable via some OS X settings changes

    http://www.frameloss.org/2011/09/18/firewire-atta...

    Read the research paper
    http://img.frameloss.org/wp-content/uploads/2011/...

  8. Morgan Berge · 930 days ago

    In MacOS 10.7.2 and beyond, the attack only works if the system is actually logged in...not if it's sleeping. Firewire DMA access is blocked whenever the system is not logged in. From the MacOS 10.7.2 Security release notes ( http://support.apple.com/kb/HT5002 )

    Kernel

    Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

    Impact: A person with physical access may be able to access the user's password

    Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.

  9. Guest · 928 days ago

    Changing sleep options should help:
    sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

  10. Guest · 926 days ago

    Just FYI - there is an open source tool called Inception that does almost the same thing (dumping memory over FireWire / Thunderbolt):
    http://www.breaknenter.org/projects/inception

    Using the resulting memory dump together with Princeton's cold boot keyfind tool and the vilefault tool will yield the same result.

  11. Rick R · 920 days ago

    Does this apply even if "use secure virtual memory" is turned on in the security pref pane???

  12. Yes, it still applies. Turning secure VM on means that you're now encrypting your pagefile. This attack actually pulls the encryption key out of live memory, where it must be unencrypted so that the filesystem can function.

  13. Lisa Barton · 781 days ago

    I am not really computer savvy and you are not helping. I have no memory of turning file vault on but it was on and it has locked me out of my computer. All of my files are safely hidden from me....my pictures (I knew I hated this modern, new digital photo crap!), my resumes, ok, there is nothing vital and life altering but I really would like to get my stuff back. Is there any way to cheaply and easily disable or get around this file vault????

    • maddy · 702 days ago

      Lisa, are you talking about a mac system you're logged out of?

  14. Has Apple changed anything to respond to this vulnerability by now or does it still exist?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog security.thejoshmeister.com, and follow him on Twitter and Google+.