A California software maker has released a program that quickly recovers login passwords from Macs, even when running Apple's completely overhauled OS X Lion, that have been locked, put into sleep mode, or have FileVault disk encryption turned on. Passware Kit Forensic v11 works by capturing a Mac's computer memory over …
Time to use that tried and trusted enterprise security method that also works for USB ports.
Honestly, which security oblivious idiot would build in DMA in a port? Oh yes, it was developed by Apple.
I'm sure Jobs only ended up choosing to base Mac OS X on NeXT and base NeXT on BSD because of the licence. Lucky for him.
There are a number of other external bus mastering interfaces out there, notably eSATA, Thunderbolt/Light Peak, and newer PCMCIA and its successors (including Compact Flash). This is by not any means solely an Apple issue, though for the moment Apple is the only manufacturer besides Sony who generally has these sorts of ports on non-laptop devices.
A proper corporate environment will have it's ports disabled by software - you can remove superglue with acetone. You've been able to disable USB ports on Windows since USB was supported (in the NT line) just by changing the access permissions on the USB DLL.
Turning off DMA?
http://manuals.info.apple.com/en_US/Leopard_Security_Config_2nd_Ed.pdf (Page 48)
Turns out, as of Leopard or possibly before (So, what, 2007?) setting a firmware password will turn off DMA access for firewire and other external devices. So while this attack is possible by default, it's not as if this issue hasn't already been addressed years ago.
Heck, you can disable the ports via firmware. So save yourself the superglue.
Insecure by default unless you know about the problem and find the setting
So that would place Apple back at about XP SP1 in Microsoft's security terms.
(And indeed most of the options in the security preferences are off by default in a new installation.)
So that means…
So that means that you can steal passwords from people's machines… unless they are security conscious enough to have them password protected.
I *think* it means that should you be important enough, someone could get at your creds by switching out your firewire connection with a custom-made one c/w small chip o' cleverness built in and rifling your mac while you blithely type in the passwords you need to get into your own machine.
Nope; that would be a rather more basic attack which works on any perhipheral interface. The issue here is that on devices with a bus-mastering interface such as Firewire, Thunderbolt/Light Peak or eSATA, an attacker can simply read the machine's memory by plugging something in; there's rarely any security here because bus-mastering was originally intended for presumed-safe internal devices (and it's unclear how such security would work, anyway).
Bottom line; if someone getting access to an important machine while on and unattended is an issue for you, disable these interfaces.
I may be missing something ..
but why doesn't Mac OSX use salted hashed passwords?
Re: I may be missing something
Because it keeps them in memory, to decrypt HDD. To be secure from such attack you'd need to use hardware tokens.
It keeps plain text passwords in memory - good grief !
Gentlemen, start your engines!
Yet another free Advert Campaign
Before your get your bangers on... know this... the same kit also applies to Windows. Its an age old issue. In simple terms.... worded in such a way as to get free advert from the blog-sphere.
It is a basic flaw in the design of FireWire that allows it to become in effect bus master to go anywhere in memory by virtue of DMA. It was covered some years ago on El Reg.
Things like ASLR make it slightly harder, and how much caching of passwords your OS performs alter the ease of attacking, but essentially it will also apply to all OS on any machine with FireWire that an attacker has 'local' access to.
Having said that, a number of years ago when developing a USB device for XP, not only did I blue-screen the OS with just my dongle (using MS' own USB stack, etc) but I also succeeded in wiping the HDD's MBR and rendering the machine unbootable! Had I been interested and skilled in things black-hat, what more could I have achieved?
So malicious access is not restricted to badly thought through (from a security perspective) peripheral hardware :(
In general, if the attacker has got even short term physical access, you have little hope of escaping with most computers.
shoots self in foot...
"Had I been interested and skilled in things black-hat, what more could I have achieved?"
A Darwin award ?
Does not work on Windows
Ummm, no, Windows does not leave passwords in memory, and hasn't for years.
Because this is only one way of recovering passwords from memory, and recovery of data from memory has been demonstrated many times by increasingly sophisticated malware.
Writing your own application, you could choose to leave passwords in memory, but if you wrote anything in the last 10 years you would do it the correct way, and use things like SecureString or SecurePassword, CryptProtectMemory, or SecureZeroMemory.
Even for talking to third-party cross-platform software that requires plain-text passwords, you would use reversible encryption and zero the memory immediately after, but that is not required for native Windows applications.
The advantages of having a system regularly hacked is you find ways to deal with problems when one level of security is breached (eg, they got in, but cant get the passwords from memory).
Now, other operating system authors have a choice. They can incorporate these safety measures into their software, just in case. Or can sit back acting smug and wait to be robbed.
Looks like they went for option number 2 on this one...
Wow talk about old!
I remember this being demo'ed back in 2004!
For reference, when this hack came about the ipod 3G had just come out!
It works on any OS with DMA enabled via firewire, including Linux/OSX. Used to unlock peoples WinXP machines by using the FW port. Their faces were priceless!
Anyway, this was by design. Any bus that allows DMA (including PCI/cardbus/pcmcia) allows this hack, and it's been in use for many many years. Firewire made it easier due to the plug and play nature, but it wasn't new.
Despite this though, we still used fw for ages (still do actually) because of it's lower overhead and it's DMA capability.
The same thing that allows this hack allows remote DMA (accessing the contents of RAM from one machine on another remote machine). This was pretty much the preserve of infiniband supercomputers with skyhigh prices to match. The fact we could do the same thing for about 50 quid using firewire more than made up for this security hole. Built our uni cluster using this feature.
Such a shame it never caught on as well as USB though. I hear that thunderbolt offers the same DMA features* (also being bus based interconnect) makes me happy. The idea of a 10gbit/s interconnect at consumer prices for the next cluster I build sounds awesome!
Remember one thing about security. If your attacker has physical access that's the end, they can get in.
*Note: Newer processors are developing what is being called an IOMMU, which will control/protect certain areas of memory from being altered or read by external devices, which should actually put a stop to these attacks. The older processors did not offer this, so were vulnerable to this attack.
If done correctly thunderbolt will not have this security hole, while offering similar features and a lot of speed. What's not to like?
IOMMU on SPARC for years
While not sure about other SPARC processors, the US-IIIi had IOMMU when first shipping ca 2003. Pity that Intel took a number of years to catch up.
Or, of course...
If you've a computer unattended in a physically insecure area which you're particularly worried about, then disabling any interfaces with DMA (eSATA, FireWire, some SCSI, Thunderbolt/Light Peak, PCMCIA), or at least disabling DMA on them, is probably a good idea, unless you're actually using them.
I'm actually rather surprised that DMA is (apparently) not available on Macs when no user is logged in; I'd say that's a nightmare for driver authors.
Story appears to contradict itself
In Lion, turning FileVault disk encryption on has the effect of disabling automatic login. So if the latter defeats the vulnerability then, contrary to the article, the former isn't vulnerable.
That aside, Firewire was designed when people were still very naive about security and manages to be faster than USB mainly by keeping the CPU out of the loop, so I'm not sure Apple can fix this in software. Hopefully Apple and Intel have been smarter with Thunderbolt, but we'll see.
Physical ccess to the machine means all sorts of hacks are possible, regardless of OS.
Lock your computer behind a door if you are really bothered.
In Linux I remember getting root access without password by dropping into LILO or Grub and entering single user mode.
LILO or GRUB?
Which even-remotely-sensible system allows you to enter that sort of runlevel without asking for root auth first? I've never seen a sensitive *NIX system that could be rebooted by anyone but root (appart from pulling the plug, but then you'd need the root password to boot, shirley).
One of the common uses of single user login is to recover from the case where the superuser (root) password has been forgotten. Almost all systems have a bypass method that requires physical access at boot time to get round the case of a lost password. As for rebooting the system - the reset button on most PCs will work fine - if not then use the power switch.
(Even on the VAX and Alpha VMS computers (far more secure than most UNIX type systems) there was a documented method for resetting the SYSTEM password if it had been lost. It required physical access to the console of the computer and as with the LILO/GRUB methods involved modifying the boot sequence to get root access without the password.)
This is quite a gaping hole though
Summary of the article: lock down your machine all you want and in as many ways as you can, someone can still stroll along, plug in a dongle and take an image of your RAM. Furthermore, in OS X in particular they can use that image to find your password and thereby have unfettered access to everything else — though just the RAM bit is a major concern.
Yes, but really how likely is it?
Number of internet-based machines potentially able to reach you = billions.
Cost of software based attack = very small.
Chance of internet-based attacker being caught = negligible (using infected PCs, foreign jurisdiction, etc).
Number of attackers with physical access = small.
Cost of hardware based attack = modest.
Chance of physical attacker being caught = significant (CCTV, fingerprints, etc).
So for most folk who don't have anything of interest to the security services or heavy weight industrial competitors, it is not a big deal. If you do, then times are interesting...
Stop calling me Shirley
I've never played with any truly big iron, but every single UNIX like server I've ever used has never required a password to boot up.
If you are at the console, you can reset the machine by interrupting power or the reset button, and getting a single user root shell is trivial:
* 'boot -s' at boot prompt for most BSD variants
* append 'single' to the kernel line in GRUB
* 'linux single' at the LILO boot prompt
* 'b -s' from the Solaris boot prompt
* 'boot -fl s' from Tru64 boot prompt
None of these will require a password to boot into single user mode. The point is, if you can access the machine or the machine's console, you already have full access to it.
If you start a Linux box in single-user mode, it will normally ask for the root password before letting you run any commands.
However, on most Linux machines, if you give to kernel the parameter init=/bin/sh
(its normally init=/bin/init)
then the kernel will run a shell as the start process. This will let you have root access without a password. Grub/Lilo can be configured to need a password to edit the boot parameters; most distros don't set it by default.
After starting the machine this way, it hasn't fully initialised yet, doing so is left as an exercise to the interested reader...
If you have physical access to the machine you can just take the drives out of it, and put into another machine, unless the drive itself has the ATA password enabled.
The worrying thing about this attack is that it leaves no trace - rebooting a machine is normally obvious when its owner comes back.
Re: Password recovery
>One of the common uses of single user login is to recover from the case where the superuser (root) password has been forgotten
That's just sloppy. One of the common use of single user login is to perform some maintenance when something went horribly wrong with the system. If you forgot the root password and don't keep a hardcopy locked somewhere, tough luck.
>As for rebooting the system - the reset button on most PCs will work fine - if not then use the power switch.
And even if you manage to reboot'em, most likely by yanking the cord, the machines would ask for the BIOS password (as should be, power loss or case breach should be understood as an intrusion attempt).
And if you got that right, single user or not you would have to enter the encryption passphrase.
And if you got that right, in single user mode they will still ask for the root password before doing anything.
Not impossible to hack, but a bit beyond the reach of the garden-variety |-|4><05 kid I would say.
set up a firmware password and nothing will get by.
Easy to bypass most firmware passwords
Just use the Clear CMOS jumper (or button) on the motherboard - does require opening the system box.
Right up until the point
Where you take the BIOS battery out, reboot, power down and put it back in again.
If you've got automatic login switched on then you're not really going to be worried about a FireWire hack.
Interesting that sleeping lions with FDE can be awoken by this though, that sounds like a hole that needs plugging, <tinfoil hat> or maybe, it's supposed to do that </tinfoil hat>
so what we're sayin is...
1 you must have physical access to the machine so that you can plug something into the FireWire port
2 whoever owns that machine must be daft enough to have automatic login turned on
Yeah. Right. Anyone who knows enough to use FileVault will have killed automatic login, and will have taken steps to ensure physical security. Anyone who is so clueless as to have automatic login running one minute after the first time they start a new Mac won't know about FileVault... and that means that if I, for example, get to their Mac with my external bootable hard drive, or my USB stick, or even one of my bootable DVDs, I _own_ their bloody machine. And I don't need to spend a penny on extra kit, I have it all sitting on my desk already.
Re: so what we're sayin is...
I think that you have 2 wrong!
As far as I can make out once it's logged in it's vulnerable, regardless of the mechanism by which it came to be logged in. The reason for disabling auto-login is to ensure it doesn't login (exposing the password to capture from memory) merely from being started up. The reason it also says to turn the damned thing off rather than locking or sleeping it is to ensure that it doesn't remain logged in.
In other words, it's all about preventing 1 by ensuring that whenever the machine is unattended its memory has no password in it to capture. The idea being that any time it has had the password used, you are quite likely to notice some miscreant stuffing something into its FW port by dint of being sat in front of it at the time.
As it's probably impractical to shut down every time you want a coffee, the Mac security model would appear to be; "Hire a security guard to stand next to it.". That is a novel and innovative approach to login security and Apple should be commended for their ingenuity here.
 Yes, that is sarcasm. Yes, it is the lowest form of wit. No, I don't care....
Hey guess what?
"1 you must have physical access to the machine so that you can plug something into the FireWire port
2 whoever owns that machine must be daft enough to have automatic login turned on"
I could name 50 morons that do exactly that. We have students that leave their laptops in the computer room turned on, unattended with auto-login enabled while they go off to wander around aimlessly.
Clip a camera to the ceiling
Plenty of small, self contained, battery powered video cameras on the market. Helmet cams, dash cams, spy cams, etc. Clip one to the ceiling, aim it at the keyboard, press record. Pick it up later.
Mind the battery run-time, though...
Those cameras usually only have batteries that last an hour or two(at most).
But if you get access to an office environment(maybe by working as cleaning staff) and can set it up right before people start their workday.(That new chap doing the cleaning is just so great! He comes in and cleans before we get there. He even prepares the coffee. Really should give him a bonus... )
If there's a 'lockdown regime'(lockable screensaver that activates after a set time, maybe), the lunchbreak is also a good time to place a camera.
(Handy for us who like to sleep late)
HAHAHA ! this is a troll story.
James O' Shea & Giles Jones saw the obvious. Give ME physical access to any commercial "luser" machine and you can bet your ass I can 'hack' into it. DUH!! Mac, PC, any phone, . . . Anyone who has a clue about security knows physical security is KEY. THEN comes things like forced Username/Password logins.
Let me see, did THAT solve the problem ??? (duh)
Need to rethink on security
If anything this fiasco demonstrates that there's a need for a paradigm-change in computer security. We need to ditch the obsession with userization and passwords, and address the ways in which the system itself is fundamentally insecure.
In this instance, a peripheral should be controlled BY the host computer. It should never be able to take control OF the host computer. The fact that it can is a massive design blunder.
The biggest problem
Is those big meaty peripherals that are always taking control of the computer.
I'm not sure that having the computer take control of them would be the best solution, though.
The BSOD would take on a whole new meaning.
just carry a gun around with you
thats the best security
Just what I was thinking!
If you must carry the machine around, occasionally bark and scream at invisible people. Also Stare maniaclly at anyone who comes near you, they'll soon get the message to leave you and your stuff alone! It works for the local Winos, they shout and bark at everyone they aee and no one goes near them!
@Just what I was thinking!
A cunning suggestion, but I'm not sure the paper bag round a bottle of buckfast and unkempt hair would go down will with your usual Apple clientèle though.
"Then, turn off your Mac when it's not being used instead of locking it or putting it to sleep."
I've rarely met an apple owner that doesn't just put their computer to sleep.
I'm one of those!
I can't be arsed to work out the sleep/hibernate stuff so I always shutdown, even on my MacBook!
Yeah, it take ages longer than it should to come back but gives you time to stare into space and daydream, reflect on whether you really need to do this all important task!
I thought we did this one more than a year ago?
Superglue is for noobs, EPOXY RESIN all the way!
The Story is WRONG
In Lion Firewire DMA is disabled when the computer is in sleep, and even when in the lock screen waiting for a password. I'd like to see this company proving they can do otherwise.
It's getting a bit tiring to see how companies are economical with the thruth to get a ride on Apple's name. This software does the same on Windows but yet they choose to stake their claims on the Mac, a computer with less than 8% marketshare. The fact that the media laps up their story without fact checking, just to nail a bite at Apple, is just equally disgusting.
To quote the article you link to..
>>FireWire is secure until you enter your password, I’ve been told.<<
Great. Any references for that piece of info or do we just trust it?
Also, see post from david 12 above. Seems to indicate that Windows doesn't have the same "passwords stored in memory in plain text" problem that Lion does.... (admittedly just as dubious as your article with regards to references, but he sounds like he knows what he's talking about rather than going "some bloke told me....")
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Yes, UK. Johnny Foreigner has better mobe services than you