Apple’s had a rough time lately on the security front. Last month it was caught out having delayed the release of a security update for Java, resulting in more than 600,000 Macs being recruited into a botnet. Now a quality assurance mistake can cause OS X users’ FileVault encryption passwords to be exposed.
On Friday, David Emery posted to an encryption mailing list disclosing this flaw in the latest OS X Lion security update, 10.7.3, which was released in February.
It appears that a debug option was accidentally left enabled in FileVault, resulting in the user’s password being saved in plain text in a log file accessible outside of the encrypted area.
Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.
To my knowledge, this only applies to users of Snow Leopard who used the FileVault encryption option for their home directories. It does not impact users of FileVault2 who have turned on Apple’s full disk encryption, nor does it impact users who did not upgrade from Snow Leopard.
The best course of action is to implement a full disk encryption solution like Sophos SafeGuard for Mac or Apple’s included FileVault 2.
Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.
This proves a very important point when it comes to encryption. While choosing a secure algorithm is important, it’s rarely the most important factor. How products store, manage and secure keys and passwords is the most common failure point in assuring data protection.
This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn’t mean anything if it chooses to store your password in an accessible log file.
Let’s hope Apple is able to fix this problem quickly. However, the possibility that the plain text password has been backed up and the difficulty of ensuring both copies and the original plain text password are securely erased means retrieval could still be possible even after the fix is applied.
Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems.