1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

PCILeech attack can bypass Mac encryption passcode in seconds, vulnerability fixed in macOS 10.2.2

By Jos
Dec 19, 2016
Post New Reply
  1. Last week’s macOS Sierra 10.12.2 update addressed a number of bugs, including one vulnerability disclosed just today that allowed an attacker to obtain your FileVault disk encryption password by plugging in a $300 Thunderbolt device into a locked or sleeping Mac. The flaw was discovered by security researcher Ulf Frisk back in August but was asked to withhold details pending a fix.

    According to Frisk, the exploit works because macOS does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. This is combined with the fact that FileVault password is stored in multiple memory locations in clear text when entered and is not automatically scrubbed from memory once the disk is unlocked. Since EFI is running upon reboot before macOS is started, this means Thunderbolt is active at this stage, allowing malicious devices to read and write memory.

    The attack doesn’t work from a fresh boot — only after a reboot, even if the computer is locked or sleeping. Once the Mac is rebooted the DMA protections that macOS previously enabled are dropped. The memory contents, including the password, are still there though. There is a time window of a few seconds before the memory containing the password is overwritten with new content.

    In the video demonstration above, Frisk is able to retrieve the password from a locked Mac in under 30 seconds. The hardware and software required for the attack has been detailed by the researcher on Github and has been tested to work on multiple MacBook and MacBook Air computers with Thunderbolt 2 ports. The attack has not been verified on devices with USB-C.

    Requiring physical access to the target device limits the risk of exposure for this particular attack, but it goes without saying that you should still update to macOS 10.12.2 as soon as possible.

    Permalink to story.

  2. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,758   +1,149

    This attack is quite smart, kudos to the researcher and hope he got his well deserved fee for discovering it!
  3. jobeard

    jobeard TS Ambassador Posts: 12,752   +1,490

    Running code from mounted devices (such as usb) has L O N G been a know intrusion vector.
    Linux & Unix Mounts have also had simple means to block all programs on mounted devices.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...