Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Filevaulted Lion NOT secure - passwords can be extracted via Firewire

That's not supriseing since FireWire can give DMA.

Windows BitLocker has the same vulnerability. One of Microsofts solutions is to disable a driver that allows this. - http://support.microsoft.com/kb/2516445

Another type of physical attack is freezing the RAM and transplanting it into another computer where a cracking program dumps it's content and searches for the key.

Nothing is as secure as company's would have you think. :p
 
But unless someone has an additional 1,000 dollars they want to spend to get that kit, I'm not too worried.
 
If I understand this correctly the described attack cannot succeed if users shut down their computers instead of just putting them to sleep or locking the screen.

So it should become best practice to shut down your computers if you care about this security aspect.
 
So suppose I kept records of all my transactions to my Swiss bank accounts (LOL... I wish) on my Mac's drive, encrypted with Filevault2, with a good 30-40 character password, how secure is my information?

Just curious..

crash
 
Tutorer said:
If I understand this correctly the described attack cannot succeed if users shut down their computers instead of just putting them to sleep or locking the screen.

So it should become best practice to shut down your computers if you care about this security aspect.
Click to expand...

I think we have a winner. I noted that when I read the article. Don't panic when you read about exploits.
 
crashmaster1 said:
So suppose I kept records of all my transactions to my Swiss bank accounts (LOL... I wish) on my Mac's drive, encrypted with Filevault2, with a good 30-40 character password, how secure is my information?

Just curious..

crash
Click to expand...

Very secure. Pretty secure. I have no idea. Is your password written on a piece of paper taped to your monitor?
Just follow common security "best practices" and you will be fine and so will your Swiss investments. :D
 
mrapplegate said:
Very secure. Pretty secure. I have no idea. Is your password written on a piece of paper taped to your monitor?
Just follow common security "best practices" and you will be fine and so will your Swiss investments. :D
Click to expand...

LOL... thanks. I keep all my passwords in the safest place - my head. The only reason I'm asking is my neighborhood had a rash of break-ins. I live outside the city and everyone used to keep their doors open, leave tools out in the garage, etc. but no more. Five people were burglarized around me - I was the one lucky person not hit by the thieves, and just want to feel my information on my Mac is somewhat secure.

crash
 
crashmaster1 said:
LOL... thanks. I keep all my passwords in the safest place - my head. The only reason I'm asking is my neighborhood had a rash of break-ins. I live outside the city and everyone used to keep their doors open, leave tools out in the garage, etc. but no more. Five people were burglarized around me - I was the one lucky person not hit by the thieves, and just want to feel my information on my Mac is somewhat secure.

crash
Click to expand...

Your data is safe. Good luck with the other problems. Hope the police can help get your neighborhood back in order.
 
mrapplegate said:
Your data is safe. Good luck with the other problems. Hope the police can help get your neighborhood back in order.
Click to expand...

Thanks! I built this house out here trying to get away from all of that. At least no-one got hurt during the break-ins - the burglars broke in at night while people were sleeping and grabbing whatever they could carry. The best part is three county sheriffs share a house right down the road from me...

crash

PS: Sorry for getting off-topic...
 
crashmaster1 said:
So suppose I kept records of all my transactions to my Swiss bank accounts (LOL... I wish) on my Mac's drive, encrypted with Filevault2, with a good 30-40 character password, how secure is my information?

Just curious..

crash
Click to expand...

only alien technology would be able to crack your password :D
https://www.grc.com/haystack.htm

as long your password have upper and lower cases letter, numbers, and special characters, you're set.
 
God forbid they hack into my computer! They would have to see boring family photos, boring school documents, and outdated music. But if that's your cup of tea.. have at it!
 
Guys this hack only works if the hacker has physical access to your computer, your computer is on/in standby (Suspend to RAM mode) and has a FireWire port (you also need the hacking software).

Your HD's encryption key is stored in the computers RAM while it's powered on. And because the FW spec has Direct Memory Access a clever person can use FW to access the memory contents and extract the key.

If you have a FW port, the way to protect yourself is to turn your computer off if your not in front of it or when you go to bed. When not powered, the data in RAM fades in 10-90 seconds (that's why it's called volatile memory).

This has nothing to do with your password. Although if your password is very simple it can still be hacked with brute force.
 
Last edited:
Quad5Ny said:
Guys this hack only works if the hacker has physical access to your computer, your computer is on/in standby (Suspend to RAM mode) and has a FireWire port
Click to expand...

So, pretty much the scenario most folks will find themselves in when their computer gets stolen from their house while they're at work. I'm really going to close all apps and SHUT DOWN every single day? So, what exactly is the point of Lion's new Filevault 2 (which encrypts the entire hard drive), if physical access to my computer results in the bad guy having all my info? Before you answer: "if they have physical access, it's all over," remember that I'm asking WHAT IS THE POINT of an encrypted hard drive in this case?
 
Schtibbie said:
remember that I'm asking WHAT IS THE POINT of an encrypted hard drive in this case?
Click to expand...
You already answered your own question... If badguys have access to your stuff, then it's over. What you're asking is like, WHAT IS THE POINT of locking your car if thieves get hold of your keychain.

Anyway, this is all rather technical stuff. Only a very select few would know enough about computers to know about this hack and try to use it. Your encrypted drive's going to be safe against at least 99.99% of all burglars even if you leave it in standby mode.

Or you could fill your firewire port with epoxy, that's also an option if you're extremely paranoid (and don't intend to use it). :D
 
Schtibbie said:
So, pretty much the scenario most folks will find themselves in when their computer gets stolen from their house while they're at work. I'm really going to close all apps and SHUT DOWN every single day? So, what exactly is the point of Lion's new Filevault 2 (which encrypts the entire hard drive), if physical access to my computer results in the bad guy having all my info? Before you answer: "if they have physical access, it's all over," remember that I'm asking WHAT IS THE POINT of an encrypted hard drive in this case?
Click to expand...

This is actually about a year old. Any computer with a FireWire port is susceptible. Windows, Linux, Mac.

If you absolutely need to secure yourself to this exploit, use a computer without a FireWire port (i.e., MacBook Air) or take a drill to the FireWire port and physically disable it.

Though if you're that paranoid, even with a damaged FW port, someone could drop your computer in liquid nitrogen, disassemble the machine and tap in to the FW or RAM traces on the motherboard and extract the keys from RAM before the signal faded.

Then again, unless the NSA is after the contents of your laptop, I suspect there's not too much to worry about.
 
xraydoc said:
This is actually about a year old.
Click to expand...
Actually, the issue is far older than that; it's been well known for a long time that the DMA mechanism built into many internal buses and external interfaces are susceptible to exploits like this. Recent CPUs contain a hardware virtualization feature that can if not stop the problem entirely so at least limit the scope of it.

However one workaround - other than wrecking the port itself - is to disable the interface in your operating system. Windows can do this in the device manager (I don't know OSX well enough to tell how/if it can be done there); if the firewire port is disabled I'm pretty sure that would prevent the exploit from working although I haven't tested my hypothesis of course...

Assuming you've set the computer to demand a password upon waking up from sleep, an attacker wouldn't be able to enable the port either. Only way to be mostly safe though is to stick the computer in a bigass ol' safe though, preferably a bank safe deposit box... :p Overkill, yes. But it works - most of the time!
 
Schtibbie, In order to have a live operating system you need Read/Write access to the HD at all times. Because of this the encryption key needs to be stored in RAM while powered on/locked/in standby.

Watch this video, I'm sure you'll find it interesting - http://www.youtube.com/watch?v=JDaicPIgn9U

AFAIK most thief's want to sell the computer ASAP, they very rarely hold onto it. Besides during this time the laptop battery will most likely die and if it's a desktop they will have to unplug it.
 
Bigmacduck said:
Passwords can be extracted from a file vaulted Mac Lion through the Firewire port. Forensic kit available.
http://www.theregister.co.uk/2011/07/26/mac_password_stealer/
Click to expand...

Apple fixed this security problem in OS X Lion v10.7.2:
http://support.apple.com/kb/HT5002

Kernel

Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

Impact: A person with physical access may be able to access the user's password

Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.

CVE-ID

CVE-2011-3215 : Passware, Inc.
Click to expand...

More about DMA --> http://en.wikipedia.org/wiki/Direct_memory_access
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back