DMA Attack Lets Hackers Retrieve Mac Encryption Passwords In 30 Seconds

Apple’s full disk encryption software, FileVault 2, allows attackers with physical access to Mac computers to retrieve the passwords in cleartext, according to Ulf Frisk, a Swedish security researcher that uncovered the flaw.

Frisk said retrieving a Mac’s password would require a $300 Thunderbolt device plugged into a locked or sleeping Mac. Attackers could then reboot the Mac and the password would be displayed in less than 30 seconds.

How The Attack Works

The attack seems to be enabled by a flaw in macOS' EFI boot software, which doesn’t protect against Direct Memory Access (DMA) attacks. The issue used to affect Firewire-based Macs in the past as well.

The macOS operating system needs to decrypt the disk before it’s started, and DMA protections are enabled as as soon as the disk is decrypted. But there’s no protection against DMA attacks in the boot process, before the OS is started, which makes this type of attack possible.

Another issue with the way Apple does things is that the password is stored in cleartext in memory instead of being scrubbed from memory once the disk is unlocked. The password is put into multiple memory locations and then moved around during reboots. Therefore, when the Thunderbolt device is plugged in and the Mac is rebooted, an attacker can obtain the password.

Disclosure

The researcher found the DMA bug at the end of July this year and presented a proof of concept attack at DEFCON on August 5. Apple was contacted on August 15 and the next day the company asked Frisk to hold off public disclosure until the flaw is fixed. Four months later, on December 13, Apple released macOS 10.12.2 with a security update to fix the issue.

According to the researcher, Apple waited four months so it could enable a complete solution to protect against DMA attacks. Frisk believes that Macs should now be one of the the most secure platforms against this type of attack. Apple is also expected to replace its FileVault 2 full disk encryption software with native filesystem encryption starting next year.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
13 comments
Comment from the forums
    Your comment
  • targetdrone
    I wonder if this was similar to the method the FBI used to hacked that Islamic Terrorist's phone that the FBI originally demanded Apple to write a custom OS for because "it was too hard for lazy FBI agents"
  • jeremy2020
    This article is untrue. It is impossible for Macs to get hacked or get a virus
  • spdragoo
    I can't tell if he's being serious or sarcastic...