Last week’s macOS Sierra 10.12.2 update addressed a number of bugs, including one vulnerability disclosed just today that allowed an attacker to obtain your FileVault disk encryption password by plugging in a $300 Thunderbolt device into a locked or sleeping Mac. The flaw was discovered by security researcher Ulf Frisk back in August but was asked to withhold details pending a fix.
According to Frisk, the exploit works because macOS does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. This is combined with the fact that FileVault password is stored in multiple memory locations in clear text when entered and is not automatically scrubbed from memory once the disk is unlocked. Since EFI is running upon reboot before macOS is started, this means Thunderbolt is active at this stage, allowing malicious devices to read and write memory.
The attack doesn’t work from a fresh boot — only after a reboot, even if the computer is locked or sleeping. Once the Mac is rebooted the DMA protections that macOS previously enabled are dropped. The memory contents, including the password, are still there though. There is a time window of a few seconds before the memory containing the password is overwritten with new content.
In the video demonstration above, Frisk is able to retrieve the password from a locked Mac in under 30 seconds. The hardware and software required for the attack has been detailed by the researcher on Github and has been tested to work on multiple MacBook and MacBook Air computers with Thunderbolt 2 ports. The attack has not been verified on devices with USB-C.
Requiring physical access to the target device limits the risk of exposure for this particular attack, but it goes without saying that you should still update to macOS 10.12.2 as soon as possible.