Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless

Luckily, there's a security fix

Until earlier this week, Apple's FileVault 2 disk encryption could be defeated in the time it takes to reboot a Mac, given a few hundred dollars in hardware and physical access to the computer.

Apple on its website claims that FileVault 2 uses "XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk."

However, Ulf Frisk, a security researcher based in Sweden, found that he could plug an assembled device running software called PCILeech into a Mac and obtain the FileVault 2 encryption password using a direct memory access (DMA) attack during the reboot process.

Apple's flawed encryption scheme, fixed in the Tuesday release of the macOS 10.12.2 update, lacked protection from DMA attacks launched prior to the the loading of macOS.

When running its Extensible Firmware Interface (EFI) during the early stages of the boot process, Mac hardware allowed devices connected by Thunderbolt 2 (USB-C has not been tested) to read and write memory in the Mac.

The ability to write to memory alone allows an attacker to subvert a system. But creating an exploit by overwriting memory wasn't necessary because FileVault passwords were stored in cleartext and were not evicted from memory once the disk was unlocked.

Obtaining the disk password was simply a matter of connecting the PCILeech device to a Mac and rebooting it, Frisk explains.

"Once the Mac is rebooted, the DMA protections that macOS previously enabled are dropped," said Frisk in a blog post on Thursday. "The memory contents, including the password, [are] still there though. There is a time window of a few seconds before the memory containing the password is overwritten with new content."

Frisk discovered the vulnerability in July and presented details in August at Def Con 24. The presentation also described attacks on Linux and Window systems.

Youtube Video

Apple was subsequently notified and requested that Frisk delay public disclosure until it could deal with the issue, which it has done through its software update.

Frisk says it is no longer possible to access memory prior to the boot process on an updated Mac, making it one of the most secure platforms against this specific type of attack, at least with regard to publicly disclosed vulnerabilities. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like