Apple’s full disk encryption software, FileVault 2, allows attackers with physical access to Mac computers to retrieve the passwords in cleartext, according to Ulf Frisk, a Swedish security researcher that uncovered the flaw.
Frisk said retrieving a Mac’s password would require a $300 Thunderbolt device plugged into a locked or sleeping Mac. Attackers could then reboot the Mac and the password would be displayed in less than 30 seconds.
How The Attack Works
The attack seems to be enabled by a flaw in macOS' EFI boot software, which doesn’t protect against Direct Memory Access (DMA) attacks. The issue used to affect Firewire-based Macs in the past as well.
The macOS operating system needs to decrypt the disk before it’s started, and DMA protections are enabled as as soon as the disk is decrypted. But there’s no protection against DMA attacks in the boot process, before the OS is started, which makes this type of attack possible.
Another issue with the way Apple does things is that the password is stored in cleartext in memory instead of being scrubbed from memory once the disk is unlocked. The password is put into multiple memory locations and then moved around during reboots. Therefore, when the Thunderbolt device is plugged in and the Mac is rebooted, an attacker can obtain the password.
The researcher found the DMA bug at the end of July this year and presented a proof of concept attack at DEFCON on August 5. Apple was contacted on August 15 and the next day the company asked Frisk to hold off public disclosure until the flaw is fixed. Four months later, on December 13, Apple released macOS 10.12.2 with a security update to fix the issue.
According to the researcher, Apple waited four months so it could enable a complete solution to protect against DMA attacks. Frisk believes that Macs should now be one of the the most secure platforms against this type of attack. Apple is also expected to replace its FileVault 2 full disk encryption software with native filesystem encryption starting next year.