Apple update to OS X Lion exposes encryption passwords

Filed Under: Apple, Data loss, Featured, OS X, Privacy, Vulnerability

Broken padlock courtesy of ShutterstockApple's had a rough time lately on the security front. Last month it was caught out having delayed the release of a security update for Java, resulting in more than 600,000 Macs being recruited into a botnet. Now a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed.

On Friday, David Emery posted to an encryption mailing list disclosing this flaw in the latest OS X Lion security update, 10.7.3, which was released in February.

It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

FileVault password in plain textAnyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

To my knowledge, this only applies to users of Snow Leopard who used the FileVault encryption option for their home directories. It does not impact users of FileVault2 who have turned on Apple's full disk encryption, nor does it impact users who did not upgrade from Snow Leopard.

The best course of action is to implement a full disk encryption solution like Sophos SafeGuard for Mac or Apple's included FileVault 2.

FileVault 2 upgrade option

Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.

This proves a very important point when it comes to encryption. While choosing a secure algorithm is important, it's rarely the most important factor. How products store, manage and secure keys and passwords is the most common failure point in assuring data protection.

This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn't mean anything if it chooses to store your password in an accessible log file.

Let's hope Apple is able to fix this problem quickly. However, the possibility that the plain text password has been backed up and the difficulty of ensuring both copies and the original plain text password are securely erased means retrieval could still be possible even after the fix is applied.

Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems.

, , , , , ,

You might like

5 Responses to Apple update to OS X Lion exposes encryption passwords

  1. Peg · 816 days ago

    Which version of OSX has the problem? It first reads that it's Lion and then says it's Snow Leopard.

  2. Starchy · 816 days ago

    The logs in question live at /private/var/log/secure.log.

  3. Ben P. · 816 days ago

    The brain is the ultimate encryption algorithm

  4. michaelwolfnyc · 813 days ago

    What I don't get is why apple can't release the trivial patch (debug mode off).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.