Question regarding FileVault 2 security/DMA and other attacks

Discussion in 'OS X Yosemite (10.10)' started by neurophysicist, Dec 8, 2015.

  1. neurophysicist, Dec 8, 2015
    Last edited: Dec 8, 2015

    neurophysicist macrumors member

    Jul 20, 2011

    I have used FileVault for some time and believe it is an important piece of securing one's data. Please bear with me, but I have some questions:

    Recently my 2011 MBP was in closed-lid/sleep mode, and I was away from it for a short time (~2 hours) after forgetting my backpack (luckily it doesn't appear anything was taken from my bag). Long story short, someone may have had physical access. I checked the terminal and saw nobody had booted it up since I left it (using the "last" command), and there was no "LidOpen" message in the console indicating the lid had been opened and awakened from sleep other than when I had done so previously that evening. (Nobody else knew my password, and when I unlocked the sleep with my password, everything appeared exactly how it was).

    1. I saw on other threads that DMA attacks on FileVault equipped via FireWire were previously patched in Lion 10.7.2; is this the case for Thunderbolt as well (Apologies if this is beating a dead horse. One example is Inception that is blocked via FireWire after Lion but not for Thunderbolt on older Macs.)?

    2. Out of curiosity, in the case a DMA attack is possible, would their be any immediate use to an attacker obtaining the decryption key if they do not reboot the computer (my understanding was that they would have to start the computer in recovery mode to unlock the drive using the decryption key in the terminal or via Disk Utility, though obviously that would mean the computer would have rebooted and my terminal history would have shown it)?

    3. For a non-DMA attack like Thunderstrike 2 (which I understand to the author's knowledge is not in the wild), is it required that the computer is rebooted to load malicious code from the option ROM of a thunderbolt device?

    In short, is there any way an attacker could have obtained data from my FileVault equipped 2011 MBP, without waking the computer from lid-sleep or rebooting (also not counting opening the MBP and removing the RAM, SSD, or knowing my password), via an external device (SD card, Thunderbolt, USB, etc.)? And if so, would the MBP have recorded activity in the console while in sleep?

    Thanks MacRumors.
  2. vexorg macrumors 6502a

    Aug 4, 2009
    If you believe wikileaks then yes, they can hack anything.

    Or if you like swedish fiction, then one deranged teen can clone your mac live as you type without even knowing.

    I don't think the mac responds to events on the ports when asleep, for usb anyway, you need to open the lid and close it to get any life out it.

    Does the mac support hibernate like windows? that's a more secure was as it's effectively off. Windows can do that after a preset time if idle.
  3. neurophysicist thread starter macrumors member

    Jul 20, 2011
    Thanks for the response.

    I know hibernation is supported, though I disabled it after I replaced my HDD with an SSD.

    So as far as inception or any other DMA attack exploiting ThunderBolt and FireWire, because I have hibernation disabled (and thus the contents of memory stay in RAM and are not copied to disk), would an attacker still be able to successfully retrieve the contents from RAM (even though the laptop is not "awake")? Or would the computer have to at least be out of "sleep" for such an attack to be successful? I guess a more pertinent question is whether arbitrary code can be executed by something like Inception if the laptop is still in sleep mode.


Share This Page