Apple recently addressed a vulnerability in its MacOS operating system that can be exploited by an attacker to obtain a MacBook’s FileVault password using a $300 device.
The issue was discovered by Sweden-based researcher Ulf Frisk at the end of July. Apple was notified about the flaw in mid-August and patched it earlier this month with the release of MacOS 10.12.2.
FileVault 2 is a full-disk encryption program that uses XTS-AES-128 encryption with a 256-bit key to preventing unauthorised access to the information on the startup disk. Frisk has demonstrated that an attacker with physical access to a locked or sleeping MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted system’s Thunderbolt port.
According to the expert, these attacks are possible due to two vulnerabilities. One of them is related to the fact that while direct memory access (DMA) attack protections are enabled by default once MacOS has started, these protections are not active before the operating system has booted. This allows an attacker to read and write memory from a MacBook by connecting a Thunderbolt device.
Since the FileVault 2 password is stored in cleartext in memory at predictable locations, software running on the Thunderbolt device can retrieve the password from memory before it is overwritten. The attacker must gain access to a locked or sleeping MacBook, connect the Thunderbolt device and reboot the computer. The attack does not work if the targeted MacBook has been shut down as the password is no longer available in memory.
The device that can be used to carry out such an attack has been dubbed PCILeech, and its source code and hardware requirements have been made available by Frisk. The expert said he tested the attack on multiple MacBook and MacBook Air computers with Thunderbolt 2 ports. The attack has not been verified on devices with USB-C.