Power Nap=Security Issue?

ugotpwned5 said:

Wouldn't this potentially allow lets say someone able to tap into the flash storage when the system is running such updates? Even with your computer password protected it is allowing changes on the flash storage? Security hole? or am i thinking to much into it?

Discuss!

Click to expand...

No less secure than when the laptop is on. Many of these also require the laptop be plugged into power while sleeping.

You can browse files on the laptop that is in PowerNap mode - if you have that service turned on (it isn't by default). Using SFTP, I can browse the stuff on my laptop from my phone when it is charging on my desk. I also pull files from one laptop to the other while one is charging in the same manner.

Windows has had this features forever, and never heard of a security prob.

So yes you are thinking too much. Next!

Your question is pretty poorly formed.

Explain how you think someone would gain access to the flash storage during powernap on an encrypted system?

ugotpwned5 said:

How is it poorly formed? Please do explain.

I don't see how you guys don't understand what I am trying to point out. Let me make an example.

A government worker carries a macbook pro retina 2012-mid with power nap enabled on it and filevault 2 on the storage. He loses the laptop with sensitive data with the lid closed, sleep is enable. The computer is not off.

A hacker takes the computer, exploits the system by doing something during the active (power nap). I am not a hacker by any means so these may not be the right terms, could he interject something in the data by a usb/firewire cable. Like overload a particular kernel or something and inject his own program to steal data.

If the computer was in power nap and carrying out functions, the computer had to have unlocked the filevault to write data to the storage device. Hence the vulnerability of the device.

Click to expand...

Ok... the hacker physically has the computer. It is in sleep mode meaning he could just open the lid and have more access than if it was sleeping (network and at the keyboard). This is a non-issue as no one is going to keep it in sleep mode after stealing it and give themselves less ability to break into it.

----------

ugotpwned5 said:

I understand the laptop would be less secure while the laptop is on, but most people close their laptop instead of shutting down when they walk away. And if they change power nap to enable on battery or ac adapter, if filevault was enabled, wouldn't it allow access to the system's flash storage without having the filevault key when the system decides to use power nap to carry out its functions? This would allow access to encrypted systems? Can anybody correct me if I am wrong?

Click to expand...

No access is there for the file storage without login credentials. Keep your password secure.

The bigger issue in that example is that the "hacker" has the computer at all! They can do whatever they want with it at that point. Take the drive out, for example. At that point, power-nap being turned on is the least of your worries.

I think you'd have much bigger problems to worry about besides whether or not you left power-nap turned on in that situation.

Any potential legitimate security risk with power-nap will most likely involve people gaining unauthorized remote access to your system while it (power-nap) is turned on and active.

1.) You're thinking too much into it. And

2.) Most thieves are interested in the machine itself then the data that's stored on it.

madsci954 said:

1.) You're thinking too much into it. And

2.) Most thieves are interested in the machine itself then the data that's stored on it.

Click to expand...

True , no one wants your 70's porn collection

duervo said:

The bigger issue in that example is that the "hacker" has the computer at all! They can do whatever they want with it at that point. Take the drive out, for example. At that point, power-nap being turned on is the least of your worries.

I think you'd have much bigger problems to worry about besides whether or not you left power-nap turned on in that situation.

Any potential legitimate security risk with power-nap will most likely involve people gaining unauthorized remote access to your system while it (power-nap) is turned on and active.

Click to expand...

If he has disk encryption enabled, taking the drive out won't do him any good. Contrary to what spy movies today suggests. Nobody breaks a 256bit AES encrypted file unless they can somehow obtain the password.
Which is actually easier if the system is on. Because all you need is some flaw in the login which gets you access. The password must reside somewhere for powernap to be able to unlock the drive when it wants to do something unless it works entirely in memory. Theoretically it might just work entirely in memory and never wake the drive. This would also conserve power and add security. The stuff in RAM is never encrypted by filevault anyway. Ergo the system is only as secure as the login process.
Which means there is absolutely no difference between it sleeping or being on.

Trying to crack the encryption and attack the AES key directly is absolutely useless. You need to attack the password or somehow get enough access to read out a key from some cache.

I've read articles about a similar thing on the Windows side. When Windows disk encryption is used, the drive remains unlocked while in sleep mode. You only need to enter the encryption key when booting or resuming from hibernate. What some companies do is to disable sleep on the laptops and force the user to hibernate or do a full shut down. What most do is to not care as you still need to authenticate to the computer to get in.

But yes, if your computer is connected to a network and running, anything is possible I suppose.

dusk007 said:

If he has disk encryption enabled, taking the drive out won't do him any good. Contrary to what spy movies today suggests. Nobody breaks a 256bit AES encrypted file unless they can somehow obtain the password.
Which is actually easier if the system is on. Because all you need is some flaw in the login which gets you access. The password must reside somewhere for powernap to be able to unlock the drive when it wants to do something unless it works entirely in memory. Theoretically it might just work entirely in memory and never wake the drive. This would also conserve power and add security. The stuff in RAM is never encrypted by filevault anyway. Ergo the system is only as secure as the login process.
Which means there is absolutely no difference between it sleeping or being on.

Trying to crack the encryption and attack the AES key directly is absolutely useless. You need to attack the password or somehow get enough access to read out a key from some cache.

Click to expand...

Well, my point was that somebody being able to physically obtain the system (i.e.: Pick it up and walk away with it) is going to trump any sort of power-nap mode that was enabled and active on the system. Once you have the system in your hands, you can do whatever you want with it. Power-nap isn't going to stop somebody from removing the drive and replacing it with an empty one and carrying on with a fresh install of OS X.

So, their example of a "hacker" stealing a system with power-nap turned on was probably not the best example to give.

With regards to the data on the actual drive, you are correct. Encryption will stop access to the data. Wasn't my point, though.

ugotpwned5 said:

I understand the laptop would be less secure while the laptop is on, but most people close their laptop instead of shutting down when they walk away. And if they change power nap to enable on battery or ac adapter, if filevault was enabled, wouldn't it allow access to the system's flash storage without having the filevault key when the system decides to use power nap to carry out its functions? This would allow access to encrypted systems? Can anybody correct me if I am wrong?

Click to expand...

The disk is already decrypted anyway....

duervo said:

Well, my point was that somebody being able to physically obtain the system (i.e.: Pick it up and walk away with it) is going to trump any sort of power-nap mode that was enabled and active on the system. Once you have the system in your hands, you can do whatever you want with it. Power-nap isn't going to stop somebody from removing the drive and replacing it with an empty one and carrying on with a fresh install of OS X.

So, their example of a "hacker" stealing a system with power-nap turned on was probably not the best example to give.

With regards to the data on the actual drive, you are correct. Encryption will stop access to the data. Wasn't my point, though.

Click to expand...

The ops concern is justifiable.

For disk encryption to work you need a password to unlock it. Once it is unlocked most processes have file access pretty much all over the place. Now if you lock your notebook a new unlock is require by you typing in the password. If the powernap can wake and actually alter files in the persistent hdd storage, it would need the password saved in some cached form in the RAM. If the login process isn't secure enough to stop you getting access to this saved password, one might find it and use it to read everything.

Having the notebook in hand does not provide more access as the vulnerability might be that powernap can automatically unlock the drive when needed or worse it stays unlocked. Having a locked notebook (you need to type in the password which isn't cached anywhere) in malicious hands is thus theoretically more secure than a potentially semi-unlocked power napping notebook.

I think the ops worry is definitely justified. I don't really know enough about filevault 2 and power nap to say anything definite. In theory at least there is more potential for security breaches. Especially how Apple works with a TPM or how they secure the keys in use.
An encrypted drive isn't secure if you can access the drives key which must be accessible for the system when it is on and reside somewhere in RAM or a TPM. As far as I know Apple doesn't use a TPM chip. Maybe something equivalent or maybe nothing.
Generally I think if there isn't clear documentation of the system they use it is most likely not all that secure. iphones are fairly secure today but the Macs do lag behind Bitlocker and such.
Authentication is everything. The encryption algorithm are rarely an issue. They only matter for performance really. Password security matters too but I assume that much everyone knows.

dusk007 said:

If he has disk encryption enabled, taking the drive out won't do him any good. Contrary to what spy movies today suggests. Nobody breaks a 256bit AES encrypted file unless they can somehow obtain the password.
Which is actually easier if the system is on. Because all you need is some flaw in the login which gets you access. The password must reside somewhere for powernap to be able to unlock the drive when it wants to do something unless it works entirely in memory. Theoretically it might just work entirely in memory and never wake the drive. This would also conserve power and add security. The stuff in RAM is never encrypted by filevault anyway. Ergo the system is only as secure as the login process.
Which means there is absolutely no difference between it sleeping or being on.

Trying to crack the encryption and attack the AES key directly is absolutely useless. You need to attack the password or somehow get enough access to read out a key from some cache.

Click to expand...

The password is in RAM already when in sleep mode - with or without power nap. The only way to steal this would be the DMA attack which Apple blocked in 10.7.2 for FireWire/TB attacks.

dusk007 said:

If he has disk encryption enabled, taking the drive out won't do him any good. Contrary to what spy movies today suggests. Nobody breaks a 256bit AES encrypted file unless they can somehow obtain the password.
Which is actually easier if the system is on. Because all you need is some flaw in the login which gets you access. The password must reside somewhere for powernap to be able to unlock the drive when it wants to do something unless it works entirely in memory. Theoretically it might just work entirely in memory and never wake the drive. This would also conserve power and add security. The stuff in RAM is never encrypted by filevault anyway. Ergo the system is only as secure as the login process.
Which means there is absolutely no difference between it sleeping or being on.

Trying to crack the encryption and attack the AES key directly is absolutely useless. You need to attack the password or somehow get enough access to read out a key from some cache.

Click to expand...

Being that we are into the 350 billion guesses a second range now (for NTLM), I'd say thats not the case so much anymore. The linked article is in essence a super computer at home, folks who are into this stuff will leverage 4 to 6 GPU's. NSA broke it in 2009. Throw 6x680's and their combined 9,216 cores at a laptop in my possession it'll be broken before you know it..You'd really have to have something on the computer for someone to want to leverage thousands in SW & HW to break your system. the end state is never give someone access to your computer.

http://arstechnica.com/security/201...s-every-standard-windows-password-in-6-hours/

bogatyr said:

The password is in RAM already when in sleep mode - with or without power nap. The only way to steal this would be the DMA attack which Apple blocked in 10.7.2 for FireWire/TB attacks.

Click to expand...

Depends on the implementation but not necessarily. The key could be deleted. The HDD locked down until the login procedure recovers the key from a TPM.
If it is yeah, that might be a problem. I would argue a DMA access is always blocked if they can but there might always be flaws. Side channel attacks or forced memory dumps. If you have the machine a lot is theoretically possible.
Not saying there is a whole but there might be and the ops asked whether there could be an issue.

Being that we are into the 350 billion guesses a second range now (for NTLM), I'd say thats not the case so much anymore. The linked article is in essence a super computer at home, folks who are into this stuff will leverage 4 to 6 GPU's. NSA broke it in 2009. Throw 6x680's and their combined 9,216 cores at a laptop in my possession it'll be broken before you know it..You'd really have to have something on the computer for someone to want to leverage thousands in SW & HW to break your system. the end state is never give someone access to your computer.

http://arstechnica.com/security/2012...rd-in-6-hours/

Click to expand...

It is one thing to generate loads of hashes of passwords and quite another to decrypt something with a 256bit key. Rainbow tables of MD5 hashes on password are all over the web. They are already computed for quite a bit of length.
If you use a 6 letter password you might as well not encrypt anything. A 256bit symmetric encryption is quite a different story. If the password is secure, as in long enough and random enough so it won't fall victim to a dictionary attack, you don't even get close to being able to crack 128bit AES with all the computing ressources of the world at your disposal.
Addtionally you usually face the problem that the encryption is actually done with a very random secure hash of the original password. The authentication of the password is done by a not one hash but usually thousands or inside a TPM so as to make this process take quite long. Usually so long that it doesn't annoy the user but long enough so that it isn't so simply for an attacker. A TPM may even limit the tries you can have at it guessing the password. After which you would be left with having to break the actual encryption which uses the hash of the password as key. You simply won't brake that.

You need quite a few cycles to compute the encryption of a block and than you still need to figure out if the key you used gave you the actual original message. That takes quite a bit longer than computing a hash and comparing it. Even if you can somehow reduce the key size with some brake. For AES 128 there is one of complexity with only gets rid of one bit. Quite pathetic.

Just assuming you can actually test accurately 350 billion password per second as the article does with hashes.
With AES 128 to be finished with one year time you need 3*10^20 of these systems. I don't even now what that number is called. Talking about a 256 bit key isn't even necessary.
Say you are done on average when you tried 50% that really only saves you one bit. And then with the 127bit hack 7.7*10^18
You need secure passwords and secure authentification but nobody will brake 256 bit encryption not with all the GPUs in the world hacking at it. Somebody would need to find some huge flaw in AES and this is one of the most thoroughly tested algorithm. They even found some ways but only ones that work on more primitive variations which aren't actually used in the field.

dusk007 said:

Depends on the implementation but not necessarily. The key could be deleted. The HDD locked down until the login procedure recovers the key from a TPM.
If it is yeah, that might be a problem. I would argue a DMA access is always blocked if they can but there might always be flaws. Side channel attacks or forced memory dumps. If you have the machine a lot is theoretically possible.
Not saying there is a whole but there might be and the ops asked whether there could be an issue.

Click to expand...

We are speaking about FV2 - since this is a MacBook with PowerNap enabled. It is in the RAM when the laptop is sleeping - not perhaps. This was a problem when DMA was accessible while in sleep mode via FireWire and Thunderbolt, this problem was fixed in 10.7.2.

So again, as DMA is blocked from 10.7.2 on, where is the security hole in allowing PowerNap?