AAPL Stock: 110.38 ( + 0.8 )

Printed from

FileVault vulnerable to RAM hack

updated 10:10 am EST, Fri February 22, 2008

FileVault RAM hack

Apple's FileVault is among the encryption technologies that may expose its secrets in RAM, suggests a paper produced at Princeton University. Through several experiments, computer scientists with Princeton discovered that many computers leave encryption data in RAM during two vulnerable states: powering down, and rebooting. While accessing data after power-down requires super-cooling the RAM and transferring it to another machine for examination, the reboot phase may be more easily exploitable.

During this phase, Princeton researchers were able to use small kernel files to help salvage memory and dump it to permanent storage, in some cases using USB drives, or a netboot infrastructure. From there it was possible to extract temporary decryption information, compensating for errors by relying on some of the common behaviors of encryption software.

Aside from FileVault, other encryption formats that were cracked included TrueCrypt, dm-crypt, and Windows Vista's BitLocker. Researchers managed to crack and mount a BitLocker volume in 25 minutes; FileVault did not fare much better however, as it was not only broken but revealed multiple copies of the login password.

At present, no easy fix for the vulnerability is available. It is suggested in fact that computers will need either new hardware or a radically different encryption scheme, and even with these it could merely make an attack more difficult.

by MacNN Staff





  1. danviento

    Joined: Dec 1969


    so for the avrg person...

    what does this mean? Oh, if you have an easy password and your machine gets stolen, even if you have your files locked under file vault, some of it may be read. Of course if you were smart enough not to make your password (or the root password) obvious, then this is a non-issue. They don't have access to the files- just a machine in need of a disk wipe and os reinstall.

    To the business that might leave access to its machines open to the public, it may again be an issue if passwords are compromised.

    For the time being, especially without any researchers' applied vulnerabilities statements (from a 3rd party, not a security bloatware vendor), this story is just a FUD monger.

  1. Guest

    Joined: Dec 1969


    problem solved!

    all we need are ram cards with acid pellets. If you attempt to remove a card without a proper shut down then the card will dissolve. Like in Mission Impossible :-)

  1. shawnce

    Joined: Dec 1969



    This has nothing to do with how good or bad your password is (how hard it is the guess). You should read the article.

    These researchers have demonstrated that by chilling the RAM chips in a system they can preserve the contents of data in the RAM chip long enough to boot up the system with a special kernel that can save off the data.

    This nothing really specific to FileVault, Mac OS X, Windows, etc. it is simply exploiting an assumption that most vendors make in that information in RAM will be lost across power cycles.

  1. climacs

    Joined: Dec 1969


    avg person

    while I agree that the average person is not vulnerable to this kind of attack - you'd have to be one seriously motivated hacker to bother with this - I would disagree that this is mere FUD. This is the kind of serious security research which leads (hopefully) to more secure computing. Even though it's an obscure hack, it's always good to know a system's vulnerabilities so that they can be eliminated or minimized in the future.

    As an additional note, most security systems - whether computer-related or as mundane as the lock on your front door or the alarm system on your house - can be defeated in some manner. It's usually a question of the degree of difficulty, with the goal being to make breaking in so inconvenient that it will deter most crooks/hackers and motivate the really, really determined and capable ones to go find easier targets.

  1. Guest

    Joined: Dec 1969


    secure virtual memory

    Does anyone know if using secure virtual memory (an option not on by default) defends against this attack?

  1. das

    Joined: Dec 1969


    secure virtual memory: no

    No, this has nothing to do with virtual memory. Virtual memory is on-disk, and is subject to a different kind of attack. This is an attack on RAM, and it is EXTREMELY obscure and requires cooling the RAM by spraying it with a coolant, removing it from the machine, and placing it in another machine with custom software designed to read the contents of the RAM in the hopes that an ecryption key can be recovered. ALL encryption on ALL hardware, platforms, and operating systems is vulnerable...not just "FileVault".

    There is one simple and easy fix if you are that concerned about this kind of attack: when your machine is not in use, shut it down instead of putting it in sleep/standby mode. The contents of RAM are (more likely to be) lost, and the encryption key is thus not recoverable.

    So no, this isn't "FUD", but this is a very difficult and obscure attack that would have to really be targeted at an individual, and is the stuff of government and industrial espionage, not someone getting their laptop bag stolen. Fixing this shortcoming would require a lot of changes in terms of assumptions made about RAM states and so on. It's an interesting discovery, and definitely could have important implications for extremely critical and sensitive data that may be actively targeted by an adversary. But for the normal encryption user, this is, in all practical and real respects, meaningless.

  1. testudo

    Joined: Dec 1969


    re: svm: no

    ALL encryption on ALL hardware, platforms, and operating systems is vulnerable...not just "FileVault".

    Not necessarily. The point of secure VM is that it encrypts the memory data before writing it to disk. It all depends on how the encryption information used in an encryption system is stored in memory. If it is dealt with "correctly", it would be expunged from memory after it is used (or at shutdown), being overwritten and all that stuff. Only those who leave it in memory would be affected (which probably is everybody).

    There is one simple and easy fix if you are that concerned about this kind of attack: when your machine is not in use, shut it down instead of putting it in sleep/standby mode. The contents of RAM are (more likely to be) lost, and the encryption key is thus not recoverable.

    Based on what I've read, that's not true. (That's like saying wiping a drive with all zeroes makes the data unrecoverable).

  1. ender

    Joined: Dec 1969


    physical security

    Any computer that contains data valuable enough to make it worth going through all that trouble should also be in a physically secure location. This technique requires that I'm logged into my FileVault account while leaving my computer in a location that someone has the time to chill the RAM to -50 deg and quickly transfer it to another machine to try and read the data. And the option to read the RAM in place requires that they've installed kernel files, suggesting that your machines has already been compromised anyway.

  1. ViktorCode

    Joined: Dec 1969


    very unlikely

    There are so many hack methods that require less work and provide better results... Supercooling the memory beyond scientific research is just wasting your resources.

  1. Eldernorm

    Joined: Dec 1969


    Hey, I say that movie

    Yea, They were looking down from a satellite and saw you type in your password and then they send agents to kidnap your computer by gassing a city block with stolen nerve gas.

    Or like the time they used infared to take a picture of the keyboard used to enter a password to the vault (why not a key pad, I do not know ??) to see which numbers were entered and then break into the vault.

    Yea, I like those kinds of shows where it only takes 2 million in technology and talent to steal 1 million in cash (which gets cut to $500,000 since its stolen money and needs to be fenced. :-) )


Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented