Skip to main content

macOS 10.12.2 fixed vulnerability that allowed Thunderbolt device to obtain password from locked Mac [Video]

Security researcher Ulf Frisk has shared details of a vulnerability in macOS 10.12.1 and lower that allowed anyone with physical access to a locked Mac to quickly and easily obtain the password simply by plugging in a $300 Thunderbolt device.

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down. If the Mac is sleeping, it is still vulnerable.

Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!

Frisk notified Apple back in August, when the company confirmed the issue and asked him to withhold details pending a fix. He reports that the vulnerability is no longer present in macOS 10.12.2, and has now explained exactly how it worked.

The first issue is that the mac does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. EFI which is running at this early stage enables Thunderbolt allowing malicious devices to read and write memory. At this stage macOS is not yet started. macOS resides on the encrypted disk – which must be unlocked before it can be started. Once macOS is started it will enable DMA protections by default.

The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.

The reboot switches off the DMA protections, but the password is still present in memory for a few seconds – long enough for the device to search for, and retrieve, it. Watch the video below to see it in action.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications