toggle

AAPL Stock: 95.22 ( + 0.19 )

Printed from http://www.macnn.com

FileVault encryption keys easily uncovered, warns Passware

updated 12:25 am EST, Thu February 2, 2012

Forensic tool can unlock Mac disk in under an hour

Passware, a forensic software developer whose Windows-only product is aimed at law enforcement agencies and other data-recovery specialists has noted that its software can decrypt Apple's FileVault encryption technology by extracting the login credentials from live system memory on a Mac using a Firewire connection. The company says that if the credentials are still in RAM, the process will take no more than 40 minutes regardless of password strength, CNet reports.

Apple's original implementation of FileVault, which encrypted the user's home folder, was widely considered to be problematic, sometimes becoming corrupt or not accepting the password, which if misremembered or lost was unrecoverable, along with the encrypted data. Apple revamped the concept in Lion with FileVault 2, a whole-disk encryption scheme that stores the password and encryption keys on Lion's recovery partition. Whenever a Filevault-encrypted system is booted up, users must provide the Filevault password, which is generally held in RAM for some time afterwards and retrieved when the computer is shut down again.

The vulnerability that Passware exploits is the same as that which was discovered to affect the original FileVault and other disk-encryption schemes like TrueCrypt. The actual encryption scheme used by FileVault 2, XTS-AES 128-bit, is exceptionally secure apart from the newly-rediscovered vulnerability of the login credentials

Passware's software, like many of its competitors, costs over $1,000 or more, meaning the technology needed to extract such information would not be available to casual thieves. The software is also able to extract passwords from encrypted Keychain files, leading to the ability to examine user accounts and other passwords.

The vulnerability, however, raises questions about the security of Macs and their data for classified, corporate and other top-secret security uses, particularly in legal settings. Secondary steps beyond FileVault, such as using encrypted disk images with offsite-stored passwords, may be recommended for highly-sensitive data. [via CNet]








by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. BigMac2

    Joined: Dec 1969

    +9

    Fear culture!

    To sums up, for this exploit to work, you need physical acces to a computer logged. You still can't crack a filevault if you're not logged to it.

  1. prl99

    Joined: Dec 1969

    +6

    another scare tactic

    This technique works on any encryption module when the computer is running, not just Filevault. I read in another article that simply setting a firmware/EFI password blocks Passware. For really sensitive data, the computer is not accessible to this threat except from an insider because the computer never leaves the confines of a physically protected environment. No computer is safe if you can physically touch it, especially if it is running.

  1. hayesk

    Joined: Dec 1969

    +3

    Uhm...

    If you are logged in, can't you just copy the data off of the drive anyway? This is blown out of proportion.

  1. drbroom

    Joined: Dec 1969

    +4

    Hate to be the one who see the real issue but

    While both BigMac2 and prl99 are correct the point of the article is that we need to pay attention to the security of our systems. I am just as much as a fan of the Mac as any other reader here (maybe even more so) but we do have issues and they need to be addressed.

    If a forensic software company can derive the main password of my system, even if it cost over a grand to do it, I want to know.

    Will it change the way I work with my system? It might but just a little. I will now consider shutting down my laptop when I leave it in my hotel room. OR/AND I might add a second encrypted virtual partition on my drive for extremely sensitive data.

    All it adds up to is more info for me to make an informed decision. I agree that FUD is a big seller but not ALL FUD is wrong. Sometimes it's just good info.

  1. jay3ld

    Joined: Dec 1969

    +1

    @drbroom

    You are avoiding the main issue with the problem in this article. Any and all software is affected by this. Once a password has been entered it is stored in ram for quick access to continue to decrypt/recrypt information. Otherwise you would have to enter the password every second for any writing or reading it wanted to do.

  1. facebook_Al

    Via Facebook

    Joined: Feb 2012

    -1

    Bank Vault analogy

    OK... you have a bank vault, you unlock the vault, let me walk in and give me 40 minutes of access to the lock mechanism with $1000 in tools. Afterwards I know the combination and declare your vault unsecure.
    WOW!!!

  1. testudo

    Joined: Dec 1969

    -1

    Re: another scare tactic

    The only one doing a scare tactic is possibly MacNN, for over-stating the headline. The Passware folks are just releasing what they do.

  1. testudo

    Joined: Dec 1969

    -3

    Re: Uhm

    And, gee, I just read how FileVault actually works.

    You could have, say, 10 user accounts on your computer. When setting up FileVault, you specify which accounts can decrypt the disk. Say it's just Fred. So, any time any of the 10 want to use the computer, when it turns on, they need to get Fred to enter his password to allow the computer to boot.

    At that point, Fred's password is in memory and stays there. Fred never actually logs into the computer (in fact, no one has to log into the computer). It could just be sitting there at the login screen, all safe and secure. Except it isn't, because you can hook up this software and get the password.

    So, to point the obvious out now:
    - No, you don't have to be logged in, so you couldn't just copy the contents from Fred's home directory.
    - Yes, you can crack the computer if you're not logged into it (though, yes, you need physical access - amazing how everyone always brings that up, like that's the panacea to all problems, because everyone always has 100% ownership of their macs at all times).
    - No, it's nothing like your bank vault analogy, because this is more "You unlock the bank, let me in, and in 40 minutes I can get into the vault because you wrote the combination down on your desk blotter and it took me that long to decrypt your mediocre cipher"

  1. BigMac2

    Joined: Dec 1969

    -1

    @testudo

    Small-minded security firm who sold their exploit love those kinds of stunts for free publicity coming from the blogosphere, It's always seen as good news to bash any OS security beside Windows (no one care anymore about Microsoft security).

    I see this stunt as a non-issue for common users because real word situation that could be done without users knowledge is almost non-existant, this attack can't be done from a trojan on the hacked computer, you need a separated PC with firewire hook and you need the users to log in is account, If the computer is steal or confiscated by authority and powered off or rebooted it won't work. I'll give you a better way to steal a password from the users, make a fake password box and ask the user to enter it, this is what every phishing site are doing and work well for dumb users

  1. testudo

    Joined: Dec 1969

    -2

    Re: @testudo

    Small-minded security firm who sold their exploit love those kinds of stunts for free publicity coming from the blogosphere, It's always seen as good news to bash any OS security beside Windows (no one care anymore about Microsoft security).

    Gee, and it always seems like apple fanboys always love to bash security companies if any of them even hints that OS X might have a vulnerability. And even if they did find one, they'd mention how windows has so many more, so it shouldn't count and the security company should have mentioned that.

    I see this stunt as a non-issue for common users because real word situation that could be done without users knowledge is almost non-existant, this attack can't be done from a trojan on the hacked computer, you need a separated PC with firewire hook and you need the users to log in is account,

    First off, YOU DO NOT HAVE TO HAVE THE USER LOGGED INTO HIS ACCOUNT! Geesh. A user needs to have booted the computer, which Filevault requires a user to type in their password to decrypt the drive. Not all users of a computer can do this. In a school, for example, the admin might turn on the computer and decrypt the drive, then leave it on for other users (even admins) to use, without having decrypt permission. But they can use it because the first guy's password is in memory!

    Second, this exploit does NOT need another computer with a firewire connection and all that c***. The exploit just attacks memory. This particular PRODUCT works that way, because it allows law enforcement to get the password without having to log into the computer. But the exploit could be used by others in other ways.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Samsung SmartCam HD Pro

Keeping an eye on the home while out and about these days is common practice, assisted by modern technology. Internet cameras became p ...

Fugoo Bluetooth speaker

It's rare to find a Bluetooth speaker that can cover a large array of needs. Generally, speakers are wrapped in a desktop-convenient ...

Epson LW-600P

Label makers are traditionally simple machines that perform a single task which people feel they can either live with or without. In m ...

toggle

Most Commented