A new exploit discovered by F-Secure is said to put “almost all” Mac and Windows laptops and desktops at risk for data theft. The vulnerability even leaves Macs with FileVault turned on susceptible.
As reported by TechCrunch, the firmware exploit has to do with how almost all Mac and Windows machines overwrite data when they are turned off. This exploit is based on a cold boot attack, where hackers are working to steal data from a computer that’s powered off.
F-Secure’s Olle Segerdahl and Pasi Saarinen discovered the firmware vulnerability that allows the ability to turn off data overwriting. Notably, a malicious party would need to have physical possession of a computer to leverage this flaw.
“It takes some extra steps,” said Segerdahl, but the flaw is “easy to exploit.” So much so, he said, that it would “very much surprise” him if this technique isn’t already known by some hacker groups.
Segerdahl also discovered that in almost all instances it was possible to steal data even if the Mac had the FileVault encryption feature turned on.
After the researchers figured out how the memory overwriting process works, they said it took just a few hours to build a proof-of-concept tool that prevented the firmware from clearing secrets from memory. From there, the researchers scanned for disk encryption keys, which, when obtained, could be used to mount the protected volume.
The researchers previously shared their discovery with Apple, Microsoft and Intel. Macs with the new T2 chip are immune from the flaw, which include the iMac Pro and the 2018 MacBook Pros.
“Apple said it was looking into measures to protect Macs that don’t come with the T2 chip.” Meanwhile, Intel didn’t respond to TechCrunch on the matter.