Mac FileVault 2’s full disk encryption can be bypassed in less than 40 minutes

Mac FileVault 2's full disk encryption can be broken in less than 40 minutes

FileVault 2California-based forensics software vendor Passware has released the latest version of its toolkit, which the company claims can bypass Apple’s FileVault 2 disk encryption “in minutes,” as well as volumes encrypted with TrueCrypt.

The software is reportedly able to capture the contents of a computer’s memory via FireWire (also known as IEEE 1394 or i.LINK), analyze the memory dump, and extract the encryption keys. Passware claims that the software can recover passwords from decrypted Mac OS X keychain files as well.

Previous and current versions of Passware’s software are also able to bypass Microsoft’s BitLocker encryption which is built into some editions of Windows.

Although Passware seems to mainly market its software to government and law enforcement agencies and military organizations, anyone with US $795 can purchase an edition of Passware Kit that includes these features. Interestingly, Passware also lists Apple, Microsoft, Intel, and several other major tech companies among its customers.

For those who might find all this concerning, it is important to note a few important caveats.

First, Passware’s software requires physical access to a computer with a working FireWire port; a remote internet attacker cannot use it to break into your Mac or PC.

AppleInsider reports that turning off your computer rather than putting it to sleep – and of course ensuring that automatic login is disabled – will prevent passwords from being stored in RAM and thus prevent them from being recoverable.

Passware’s site and press release do not mention Sophos SafeGuard full-disk encryption, but it would be wrong to infer that Sophos’s solution and many others out there are immune to FireWire DMA attacks

The concept and practice of exploiting machines locally via a FireWire port has been around for several years.

In 2008, Sophos reported about Winlockpwn, a utility that can unlock a live Windows system via FireWire. Security experts have postulated that similar exploits might be possible via Thunderbolt ports, which have become a standard feature on recent Macs and will become available on PCs later this year.

Updated: This article was updated to clarify that many full disk encryption products could be vulnerable to Firewire DMA attacks.