back to article Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless

Until earlier this week, Apple's FileVault 2 disk encryption could be defeated in the time it takes to reboot a Mac, given a few hundred dollars in hardware and physical access to the computer. Apple on its website claims that FileVault 2 uses "XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to …

  1. cashxx

    Clickbait

    So this click bait was all about Apple, but I seen a very small mention of Linux and Windows? Are they fixed yet?

    1. Crazy Operations Guy

      Re: Clickbait

      They aren't fixed and never will be, what with this being a flaw that exists only in OS X and all...

    2. Paul Crawford Silver badge

      Re: Clickbait

      Well you could follow the link to the article (PDF hosted on GIThub) and read it there?

      However, this attack is not OS-specific in that *any* machine with externally controllable DMA enabled at any time is vulnerable to having the OS and program memory read out for analysis.

      In fact the UK gov security advice[1] is to try and buy machines without that feature. I guess Apple are a special case in that they control the UEFI boot loader and so are able to turn off external DMA access until the machine is booted and access is under OS control.

      [1] For example https://www.ncsc.gov.uk/guidance/end-user-devices-security-guidance-ubuntu-1404-lts#risk-owners-summary

      1. Crazy Operations Guy

        Re: Clickbait

        YEs, DMA attacks aren't new, they've been around since DMA was invented, but that's not what this article is about. The flaw mentioned in the article is that OS X does not sufficient protect encryption keys when the operating system is shutting down, making it vulnerable to DMA attacks.

        The operating system does not overwrite the key with random data before releasing the locks on those sections of the memory so when the system reboots, its still there in memory until the kernel initializes the IO-MMU and instructs it to not allow DMA peripherals to read from that region of memory.

  2. aaaa
    Boffin

    Firmware Password

    My MacBook Pro nicely integrates the firmware/boot password with the FileVault 2 encryption - meaning if they are the same password, I'm only prompted for this once. The reason for this is obvious: Apple expect you to use the two together. The FileVault 2 encryption without boot password protection is subject to all sorts of attack vectors. But when the EFI is Boot password protected - then you can't boot off an external thunderbolt device to use this DMA hack, or many other attacks.

    That the article leaves this out is unfortunate - it means that people using Mac OS 10.10 etc. won't realise there is an option besides upgrading to 10.12.2; and worse, will lead many people to be misinformed...

    Not protecting the FileVault 2 password from DBA attack is poor work on Apple's part - and it's good to know it is now fixed. But in the 'real world' this attack is going to fail on all but the most poorly configured devices.

    1. seven of five Silver badge

      Re: Firmware Password

      As I read the article, having the Thunderbolt device connected at boot time suffices to enable DMA access, to boot from it does not seem neccessary. I wonder whether delaying startup continuation (and therefore, memory overwrite) by using a EFI password would actually worsen the situation.

      But from the article or its links a really can not tell.

  3. Dan 55 Silver badge

    Would You Like To Know More?

    Shame Apple's security page doesn't mention it.

    So I don't know if 10.12.2 has a bundled EFI update meaning you have to install the OS update to get the EFI update, you can't decide to skip it and install a later combo update as you won't get the EFI update with that.

  4. Phil O'Sophical Silver badge

    We've seen this before

    Isn't this much the same problem Apple had with their FireWire ports 5 years ago? Looks like the Thunderbolt driver developers didn't talk to the Firewire ones:

    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3215

  5. Chris Evans

    Why give full details so soon?

    I never understand why full details of such vulnerabilities are given so soon after a fix. I wonder how many susceptible computers have yet to be updated. In this case as physical access is required the problem is not massive but why make it easy for hackers?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why give full details so soon?

      The disclosure versus secrecy debate has been played out forever. If Apple said "can you please keep this secret for a year after we fix it, to make sure everyone has updated" researches might be less willing to work with them.

      I think most companies would ask for an extended disclosure if it was a really nasty attack - i.e. something that was exploitable by a script kiddie from across the internet and there was no defense other than unplugging your computer from all networks. But this is pretty esoteric - really of interest only to spooks and those committing high end corporate espionage. A jealous spouse isn't likely to put together this attack to see if there's been cheating going on...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021