updated 12:25 am EST, Thu February 2, 2012
Forensic tool can unlock Mac disk in under an hour
Passware, a forensic software developer whose Windows-only product is aimed at law enforcement agencies and other data-recovery specialists has noted that its software can decrypt Apple's FileVault encryption technology by extracting the login credentials from live system memory on a Mac using a Firewire connection. The company says that if the credentials are still in RAM, the process will take no more than 40 minutes regardless of password strength, CNet reports.
Apple's original implementation of FileVault, which encrypted the user's home folder, was widely considered to be problematic, sometimes becoming corrupt or not accepting the password, which if misremembered or lost was unrecoverable, along with the encrypted data. Apple revamped the concept in Lion with FileVault 2, a whole-disk encryption scheme that stores the password and encryption keys on Lion's recovery partition. Whenever a Filevault-encrypted system is booted up, users must provide the Filevault password, which is generally held in RAM for some time afterwards and retrieved when the computer is shut down again.
The vulnerability that Passware exploits is the same as that which was discovered to affect the original FileVault and other disk-encryption schemes like TrueCrypt. The actual encryption scheme used by FileVault 2, XTS-AES 128-bit, is exceptionally secure apart from the newly-rediscovered vulnerability of the login credentials
Passware's software, like many of its competitors, costs over $1,000 or more, meaning the technology needed to extract such information would not be available to casual thieves. The software is also able to extract passwords from encrypted Keychain files, leading to the ability to examine user accounts and other passwords.
The vulnerability, however, raises questions about the security of Macs and their data for classified, corporate and other top-secret security uses, particularly in legal settings. Secondary steps beyond FileVault, such as using encrypted disk images with offsite-stored passwords, may be recommended for highly-sensitive data. [via CNet]