MacLockPick utility extracts passwords
updated 11:10 am EDT, Fri April 27, 2007
MacLockPick released
SubRosaSoft.com today released MacLockPick, a new live forensics tool for extracting passwords, internet history, and system settings from Mac OS X systems. The utility is designed for law enforcement professionals to perform live forensics and is based on a USB Flash drive that users insert into a suspects Mac OS X system -- running or sleeping -- to extract data from the Apple Keychain as well as system settings, providing examiners with fast access to critical information with as little interaction or trace as possible. MacLockPick is priced at $500 for licensed investigators, or $450 for State and local law enforcement professionals. Licenses for Federal law enforcement officers as well as purchases of five or more copies are available for $400 each.
The software compiles a database of the suspects information on the Flash drive to allow for easy transportation away from the suspect system, which is accessible via included log readers on other Mac OS X, Linux, and Microsoft Windows systems.
The application works to obtain Apple Keychain passwords including those for the logged in user, general passwords such as encrypted disk images or Wi-Fi base stations, and internet-related passwords including login and password details for websites as well as email accounts.
File and folder details collected include folder dates with a list of all the key user folders along with their creation, last modification, first access, and most recent access dates. Paths to the most recent disk images that were mounted on the subject Mac are also collected, with full paths to recent files viewed in the Preview program and file names for recently viewed QuickTime movies.
MacLockPick extracts the subject's instant messaging default login for iChat as well as a complete buddy list, including buddies who were already deleted. Email information is also collected, including account details with login names and server addresses used alongside Address Book contents -- including contacts that were deleted.
The utility also collects Web history and preferences such as search strings or cached bookmarks, and hardware preferences including iPod serial numbers that were connected to the Mac or Bluetooth devices that were paired with the system.
Big Brother is watchng:
04/27, 11:19am reply
This is hardly a cheering development. I wonder if some enterprising person will quickly release an effective countermeasure somewhere on the whispernet.
Privacy advocates...what do you think??
Cubester
Fresh-Faced Recruit
Joined: Jun 2001
Only law enforcement?
04/27, 11:37am reply
How long befrore it's floating around the net?
guzzi
Fresh-Faced Recruit
Joined: Jun 2006
filevault
04/27, 11:42am reply
I thought that filevault would prevent this. The article makes no mention of it. From what I understood, file vault was impenatrable (although I have never used it).
dynsight
Fresh-Faced Recruit
Joined: May 2005
Interesting
04/27, 11:45am reply
Well, privacy issues can be debated forever. I'm curious about this from a technical aspect though. How exactly can it extract data from a sleeping machine? It's a USB device that initiates a program as soon as it's inserted? I'm unaware of any way to do this. Any thoughts on how this could actually work?
simdude
Fresh-Faced Recruit
Joined: Jun 2004
Missing feature...
04/27, 11:46am reply
Ready-to-print warrant templates.
sammaffei
Fresh-Faced Recruit
Joined: Sep 2004
ROOT ACCESS
04/27, 12:03pm reply
I would guess the USB "drive" has a QuickTime auto-launch to run the utility, which uses an OS vulnerability to log in as root.
suhail
Senior User
Joined: Nov 1999
Disable USB?
04/27, 12:06pm reply
I wonder if one can disable USB ports via Terminal or AppleScript? Put a complex password in there for good measure. Of course, any decent hacker can reboot and gain root access.
Cubester
Fresh-Faced Recruit
Joined: Jun 2001
physical access
04/27, 01:12pm reply
In the hands of a professional, having physical access to a machine will pretty much guarantee that it will be compromised. That being said, this little program will allow common thieves to do such. I hope Apple plugs whatever hole they are using. Sorry SubRosa, bad product idea.
si_lance
Dedicated MacNNer
Joined: Nov 2003
Requires logged-in user!
04/27, 01:27pm reply
Reading the product page... This requires a user to be logged in to use this product. The investigator manually launches the application on the flash drive (no autolaunch here).
If your Mac requires your login password at startup, wake-from-sleep, or returning from screensaver your system should (from what they're saying) not be vulnerable to this product if in those states.
The single most interesting "feature" is that this product can apparently determine the login password of the logged-in user. If that password is available anywhere, this is a security problem Apple should fix. Once the login password is known, then everything else is wide open and this product isn't doing anything unique (other than saving the investigator many manual steps).
If you don't use Filevault, it's a trivial thing to image your hard drive then (from the image) gain access to most files. Accessing the keychain contents is not possible (or at least not easy) without the login password, but everything else is wide open. The purpose of Filevault is to protect all user items.
Moral of the story... If you have private data on your computer, the minimum security you should use is to deactivate auto-login, and require password at wake-up/screensaver. Filevault is an excellent bonus but has a slight performance and reliability impact.
mitchcohen
Fresh-Faced Recruit
Joined: Aug 2005
Oh yeah...
04/27, 01:29pm reply
An important addition to my above comment - be sure your computer is in some mode that requires your password upon your return. Not doing so is practically an invitation for others to fiddle with your Mac.
mitchcohen
Fresh-Faced Recruit
Joined: Aug 2005