DMA Attack Lets Hackers Retrieve Mac Encryption Passwords In 30 Seconds

Apple’s full disk encryption software, FileVault 2, allows attackers with physical access to Mac computers to retrieve the passwords in cleartext, according to Ulf Frisk, a Swedish security researcher that uncovered the flaw.

Frisk said retrieving a Mac’s password would require a $300 Thunderbolt device plugged into a locked or sleeping Mac. Attackers could then reboot the Mac and the password would be displayed in less than 30 seconds.

How The Attack Works

The attack seems to be enabled by a flaw in macOS' EFI boot software, which doesn’t protect against Direct Memory Access (DMA) attacks. The issue used to affect Firewire-based Macs in the past as well.

The macOS operating system needs to decrypt the disk before it’s started, and DMA protections are enabled as as soon as the disk is decrypted. But there’s no protection against DMA attacks in the boot process, before the OS is started, which makes this type of attack possible.

Another issue with the way Apple does things is that the password is stored in cleartext in memory instead of being scrubbed from memory once the disk is unlocked. The password is put into multiple memory locations and then moved around during reboots. Therefore, when the Thunderbolt device is plugged in and the Mac is rebooted, an attacker can obtain the password.


The researcher found the DMA bug at the end of July this year and presented a proof of concept attack at DEFCON on August 5. Apple was contacted on August 15 and the next day the company asked Frisk to hold off public disclosure until the flaw is fixed. Four months later, on December 13, Apple released macOS 10.12.2 with a security update to fix the issue.

According to the researcher, Apple waited four months so it could enable a complete solution to protect against DMA attacks. Frisk believes that Macs should now be one of the the most secure platforms against this type of attack. Apple is also expected to replace its FileVault 2 full disk encryption software with native filesystem encryption starting next year.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • targetdrone
    I wonder if this was similar to the method the FBI used to hacked that Islamic Terrorist's phone that the FBI originally demanded Apple to write a custom OS for because "it was too hard for lazy FBI agents"
  • jeremy2020
    This article is untrue. It is impossible for Macs to get hacked or get a virus
  • spdragoo
    I can't tell if he's being serious or sarcastic...
  • negusp
    Jeremy, you forgot your /s
  • cmi86
    Hmm so much for mac's are safer because they can't get hacked or get virus's... I tried telling some apple people years ago that with popularity comes attention. Mac OS wasn't inherently any safer than a MS OS it's just that no one cared to hack them because there wasn't any market share. Go figure they didn't listen. I'd have a better chance of winning the lottery 2 times and getting struck by lighting all in one day then I would getting an apple zealot to accept common sense...
  • Kimonajane
    Well at least they have to have physical access to your computer. Hopefully Apple updates this fast.
  • Sam Hain

    Nothing is hack or virus proof. In fact, bad end-user (browsing) habits, poor AV defensive software (or lack of) OR being complacent in the trust of such myths of the likes of the Apple Fortress of Impregnability WILL increase the likelihood of such attacks and the challenge to hackers to conquer it.

    Why do you think AV, Mal-Ware, etc. programmers are always having to update their data bases for us end-users/subscribers???

    Answer... The black-hats are always trying something new and better, to get in. Encryption hacking/decoding is yet, just another and sometimes more rewarding challenge to them.
  • Kewlx25
    Bootstrapping is always the hardest part.
  • none12345
    "Well at least they have to have physical access to your computer. Hopefully Apple updates this fast."

    Considering the article said that apple has known about this since at least july....and they still havent fixed say that apple has not(and likely wont) fix this fast.
  • Kewlx25
    This attack only works because "untrusted" devices can gain access to DMA on boot. The only way to fight this is to have some notion of "trusted" devices, which leaves you with something like Secure Boot.