Apple's FileVault disk encryption can be circumvented in less than an hour, according to a computer forensics firm. Passware claims the latest version of its toolkit (Passware Kit Forensic v11.3) can also unlock volumes encrypted using TrueCrypt, a disk encryption software that ranks alongside PGP as the choice of privacy- …
Apple FileVault cracked?
The headline seems a bit misleading. Unless I misunderstood the article, this isn't about cracking the encryption, but exploiting other weaknesses (while the machine is running) to obtain passwords. They are very different objectives. Or are they saying they can crack the encryption easily even when the machine has been turned off?
Also slightly confused by why we are concentrating on Apple
Is it significantly easier to crack than TrueCrypt? the article didn't appear to say.
The real story here is FireWire
...and direct memory access. These guys commercialized this one particular exploit, but there are other things you can do with it IIRC.
Also, doesn't Thunderbolt provide DMA too? I thought I heard that it did but could be wrong.
Proving the old adage...
Security. Ease of use. Low cost.
Pick any two.
Pick only one.
Its accutally "Cheap Fast Good", but close enough.
Well-heeled blackhats prepared to fork out $1,000 ...
Whether they need to pay will depend on how good Passware's own security is. i wonder how long before a crack is available.
Reading RAM contents from the FW port was demo'd what, back in 05? Earlier? So long ago I don't actually remember anymore....
Used to be that you could use a FW Ipod running Linux to just plug into a machine and have it alter the machines RAM contents, allowing you to logon without a password, read encryption keys etc... all the while looking totally innocuous to anyone around you.
This technique is no longer as useful as back then, as modern processors implement an IOMMU, which prevents anything attached to a bus from using DMA to access the entire RAMspace, thwarting this attack vector.
You could argue that these guys packaged it nicely in a GUI and made it available for purchase to the general public, but I don't think they are the first at that either (I seem to remember outfits springing out offering this tech about a year after it was demo'd). I'm guessing it has to do with Apple, so is news?
reading passwords with debug is even earlier
The first password hacking I ever tried was to extract netbios (iirc) login passwords from memory with debug on IBM PS/2s. Must have been in the late 80's. It turned out to be surprisingly easy as the password often remained in memory even after the user had logged out. Security was a bit of a joke back then, though, and there wasn't much practical use for the networking except to play snipes.
"privacy-conscious computer users, human rights activists and others"
The modern equivalent of the top-of-the-wardrobe or under-the-matress you mean?!
So to use this you need to get the user to actually log into the box and put in the password for the encrypted volumes, then you crack where that's stored in memory?
How useful is that really as an attack vector, or in forensics?
A leaked writeup from HB Gary went over this as an attack vector and panned it. FireWire devices aren't ubiquitous like USB, so you'd almost have to wait for your target to leave the machine running and unattended, then you'd have to go plug into it - which is risky.
I've seen this done at a bank
I was working with some other people on Security Assessment of a bank. At the branch, there were desks with computer sitting on top of them with the back of the computer facing the customer.
So my colleague went to sit down and at the loan officer's desk with the officer on the other side of desk, posing as a customer wanting a loan. At the beginning of the conversation, he set down his briefcase and with a slight-of-hand pulled cable from the briefcase and plugged it into one of the Fire wire ports on the back of the machine and copied the contents of the computer's RAM while the loan officer talked about different loan options and filling out paperwork.
The following day we presented baking details on several customers (SSNs, Home addresses, bank balances and account numbers, credit rating, and more) and the logon passwords to their database servers, internal websites and special third-party web applications (credit scores, Credit-card issuance websites and account management sites for partner banks).
All this from only one person spending 45-minutes at the bank with a laptop and a 1-meter Firewire cable. Analysis took him about 48 hours to complete on his mediocre laptop. Shortly afterwards the bank shut down for a day to remove all firewire cards, header cables and filled the on-board ports with non-conductive epoxy.
Out of interest,
Even if you can not name the bank, what hardware were they running which had firewire ports exposed at the back? And which physical standard?
"The following day we presented baking details on several customers [...] Analysis took him about 48 hours to complete on his mediocre laptop."
Was it less than 24 hours or 48 hours?
All they do is to exploit a weak FireWire implementation of Apple on *running* Macs. If you rip out battery and power cable before the cops break through your door this tool will do exactly nothing.
That a REGFAIL.
RAM contents have a decay period. When you power up a computer normally, RAM registers are reset to zero automatically, since they may contain latent data. If you take a RAM stick and stuff it in a device that is designed not to do this, you may be able to read the contents if you're quick enough.
Therefore, REGFAIL for not explaining such, and YOUFAIL for not reading up first. :)
Unless of course you have a Mac with an unremovable battery, like the Macbook Pro I'm typing this on, oh and virtually EVERY notebook Apple makes now.
Police can kick the door in much faster than you can undo a stack of tiny phillips head screws, even ignoring the fact RAM doesn't wipe instantly...
Sorry - READER fail!!
You don't have to remove the battery silly
So Wibble, I choose security and low cost, what are my options clever clogs? :D
TrueCrypt and power-down the machine before leaving the room (especially to answer the door) or if there are any sounds of someone trying to break in.
you'd be surprised how much memory content can be found on a powered down machine.
I remember the old sun U10 sparc boxes. If you had one with en elite3D graphcal card in it, and powered down the machine when it was still displaying the Xsun / X-windows system (say when you had a powerfail), then when powering the machine back on the first thing you would see would be the contents of the framebuffer at the time the machine was powered off.
Tried this once before moving a machine to another office
Machine was powered off for a weekend, plugged back into a different office, and the first thing we saw when powering on the machine was the screen as it was when powered down .
It didnt last long, because the sun openboot prom screen dump would start to write and would erase the previous screen.
My point ?
If you really are worried and paranoid, just powering down your machine everytime the doorbell rings wont be good enough.
I would suggest doing what they did in cryptonomicon, and have a big electromagnet built into your doorposts (ok, maybe not practically possible:
Or just ensure your POST is set to do a full RAM test and reboot instead of powering off.
Easy...switch it off, and unplug the LAN. Cheap and bloody secure.
Well, if you're sticking to Mac:
Disk Utility > New Image > 256-bit AES encryption
Leave it on your desktop. Double click to use. Drag to trash to close. Email it, dropbox it, whatever.
Also works on Linux and Windows but not quite so straightforward.
And when I say "works" I mean that the disk image is OS agnostic, not just that you can use the same technique.
Secure and free. Oh, and ease of use.
low cost security
Araldite in the firewire port?
I don't know of a common encryption system that isn't vulnerable if the password has been entered and the machine is still on, but TrueCrypt is a great option still. For one, they're aware of this RAM issue, and they actively wipe the RAM that contained the valid decryption key when you properly unmount a TrueCrypt volume or shutdown. Therefore, if you want security, just unmount your volume or shutdown the system properly (don't yank the plug). You're safe. As for decrypting a TrueCrypt volume, they may be referring to the same type of RAM vulnerability to do so. I doubt their rainbow tables or dictionary attacks will work against a TrueCrypt volume with a decently long password (15+ chars) and a keyfile or two. Rainbow tables used to crack WEP were several TB in size.
@Gerhard den Hollander
If I remember correctly, I read an article some 3 years back or so on the Register detailing how easy it was to capture in-memory contents of a recently powered down computer. It went something like:
1. Remove memory.
2. Whip out can of compressed air.
3. Turn can of compressed air upside-down.
4. Blast memory with freezing liquid.
5. You have a suprising amount of time (several minutes, if I remember correctly) to hook up the memory and read it's contents.
I think you'll find the memory needs to be hit with something nearer liquid nitrogen (though possibly not too cold as to fuck the component) in situ and was somewhat of a contrived result. By the time you've released the cover to access the memory I'd say the window has closed. Also, see the earlier comments on Truecrypt and the memory location used to store the key.
Contents of memory....
can indeed persist for a short time after power-off, especially if low temperatures are involved.
However, this is easily mitigated by selecting one of the following options:
* Dismount Truecrypt volume
* Hit reset button
* Force power cycle
the 21st century equivalent of
looking over someone's shoulder when they type in their password.
not suitably impressed at all.
Way to generate clicks, Register...
So this firm is able to bypass encryption on Apple, Windows and at least a couple of the most popular independent schemes. But according to the headline it is an Apple problem.
Without saying that, since it mentions BitLocker, we'd just get the bleating "You mentioned BitLocker! Windoze r teh carp! Get Appul it r saef from everything!111oneoneone"
By mentioningup front that it is a problem that can also affect Apple systems, it avoids that style of reply, instead hitting the "Y U NO LOVE MACS" style rpely.
Heads-up, woody: Mac (not MAC) users, generally, can spell and know, when necessary, how to invoke the spell-check function built into the system.
The headline is that FileVault was the most recent "feature" added to this software, finally catching up to 2005 known vulns. It already supported some methods of decrypting BitLocker and TrueCrypt.
"Mac users, generally, can spell"
I disagree. Those that use equipment from the church of the fruit are just as appalling as everyone else when it comes to spelling and grammar. They just make it look prettier.
A comment on your sentence, though: it is poorly-formed and contains too many commas. Maybe you should leave picking fault with others' English (overlooking the fact that in the OP it was deliberate) to more intelligent individuals?
encryption keys ... cannot be extracted unless machines are turned on.
Setec Astronomy ...
Some REAL News Here
Anon listening in to FBI and SY telephone calls:
(use google translate to get an english version)
FBI and SY phone call
REG is losing all credibility
No one with one iota of Tech skill woks at The Register anymore. How many times has this "made up spon doctoring" story been republished since 2002 or so? The mind boggles at how this blatent attempt of marketing redrumming up of interest again again in a blatent PR campaign is swallowed up gullible hook line and sinker by el reg and regurgated as a story time and time again. Emphasis on "story"!
Sounds a bit angry!
Here, try these suggestions:-
1. Hit or kick something so hard you hurt yourself
2. Think of something else
3. Have sex?
Hope that helps
I was surprised!
It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)
From the Passware website
NOTE: If the target computer is turned off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.
re:It's normally MS software that has security flaws
>>It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)
No, MS put a lot more effort into finding and fixing bugs than most other companies. They also have far more people finding (deliberately or accidentally) bugs on their behalf. When was the last time anyone tried to find a way to take control of your PC through OpenOffice?!
What is the story
Old technology, tired product. The Register sucks corporate dick.
Re: What is the story
"The Register sucks corporate dick"?
Please don't arrange a Kempf like flame today - I still have to eat
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Experimental hypersonic SUPERMISSILE destroyed 4 SECONDS after US launched it
- That 8TB Seagate MONSTER? It's HERE... (You'll have to squint, 'cos there are no specs)