Feeds

back to article Apple FileVault cracked in under an hour by forensics biz

Apple's FileVault disk encryption can be circumvented in less than an hour, according to a computer forensics firm. Passware claims the latest version of its toolkit (Passware Kit Forensic v11.3) can also unlock volumes encrypted using TrueCrypt, a disk encryption software that ranks alongside PGP as the choice of privacy- …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Apple FileVault cracked?

The headline seems a bit misleading. Unless I misunderstood the article, this isn't about cracking the encryption, but exploiting other weaknesses (while the machine is running) to obtain passwords. They are very different objectives. Or are they saying they can crack the encryption easily even when the machine has been turned off?

13
1

Also slightly confused by why we are concentrating on Apple

Is it significantly easier to crack than TrueCrypt? the article didn't appear to say.

6
0
Anonymous Coward

The real story here is FireWire

...and direct memory access. These guys commercialized this one particular exploit, but there are other things you can do with it IIRC.

Also, doesn't Thunderbolt provide DMA too? I thought I heard that it did but could be wrong.

0
1
Gimp

Proving the old adage...

Security. Ease of use. Low cost.

Pick any two.

4
0
Silver badge

Optimistic

Pick only one.

1
0

Its accutally "Cheap Fast Good", but close enough.

2
0
zb

Well-heeled blackhats prepared to fork out $1,000 ...

Whether they need to pay will depend on how good Passware's own security is. i wonder how long before a crack is available.

4
1
Ogi
Meh

Not New...

Reading RAM contents from the FW port was demo'd what, back in 05? Earlier? So long ago I don't actually remember anymore....

Used to be that you could use a FW Ipod running Linux to just plug into a machine and have it alter the machines RAM contents, allowing you to logon without a password, read encryption keys etc... all the while looking totally innocuous to anyone around you.

This technique is no longer as useful as back then, as modern processors implement an IOMMU, which prevents anything attached to a bus from using DMA to access the entire RAMspace, thwarting this attack vector.

You could argue that these guys packaged it nicely in a GUI and made it available for purchase to the general public, but I don't think they are the first at that either (I seem to remember outfits springing out offering this tech about a year after it was demo'd). I'm guessing it has to do with Apple, so is news?

10
0
Bronze badge

reading passwords with debug is even earlier

The first password hacking I ever tried was to extract netbios (iirc) login passwords from memory with debug on IBM PS/2s. Must have been in the late 80's. It turned out to be surprisingly easy as the password often remained in memory even after the user had logged out. Security was a bit of a joke back then, though, and there wasn't much practical use for the networking except to play snipes.

5
0
Bronze badge
Happy

"privacy-conscious computer users, human rights activists and others"

The modern equivalent of the top-of-the-wardrobe or under-the-matress you mean?!

0
0
Anonymous Coward

Right

So to use this you need to get the user to actually log into the box and put in the password for the encrypted volumes, then you crack where that's stored in memory?

How useful is that really as an attack vector, or in forensics?

6
0
Anonymous Coward

IIRC

A leaked writeup from HB Gary went over this as an attack vector and panned it. FireWire devices aren't ubiquitous like USB, so you'd almost have to wait for your target to leave the machine running and unattended, then you'd have to go plug into it - which is risky.

0
0
Bronze badge

I've seen this done at a bank

I was working with some other people on Security Assessment of a bank. At the branch, there were desks with computer sitting on top of them with the back of the computer facing the customer.

So my colleague went to sit down and at the loan officer's desk with the officer on the other side of desk, posing as a customer wanting a loan. At the beginning of the conversation, he set down his briefcase and with a slight-of-hand pulled cable from the briefcase and plugged it into one of the Fire wire ports on the back of the machine and copied the contents of the computer's RAM while the loan officer talked about different loan options and filling out paperwork.

The following day we presented baking details on several customers (SSNs, Home addresses, bank balances and account numbers, credit rating, and more) and the logon passwords to their database servers, internal websites and special third-party web applications (credit scores, Credit-card issuance websites and account management sites for partner banks).

All this from only one person spending 45-minutes at the bank with a laptop and a 1-meter Firewire cable. Analysis took him about 48 hours to complete on his mediocre laptop. Shortly afterwards the bank shut down for a day to remove all firewire cards, header cables and filled the on-board ports with non-conductive epoxy.

3
2
Bronze badge

Out of interest,

Even if you can not name the bank, what hardware were they running which had firewire ports exposed at the back? And which physical standard?

0
0

This post has been deleted by its author

Silver badge

I'm confused...

"The following day we presented baking details on several customers [...] Analysis took him about 48 hours to complete on his mediocre laptop."

Was it less than 24 hours or 48 hours?

1
0
FAIL

Shoddy Journalism

All they do is to exploit a weak FireWire implementation of Apple on *running* Macs. If you rip out battery and power cable before the cops break through your door this tool will do exactly nothing.

That a REGFAIL.

3
0
Coat

RAM

RAM contents have a decay period. When you power up a computer normally, RAM registers are reset to zero automatically, since they may contain latent data. If you take a RAM stick and stuff it in a device that is designed not to do this, you may be able to read the contents if you're quick enough.

Therefore, REGFAIL for not explaining such, and YOUFAIL for not reading up first. :)

0
0

Sure

Unless of course you have a Mac with an unremovable battery, like the Macbook Pro I'm typing this on, oh and virtually EVERY notebook Apple makes now.

Police can kick the door in much faster than you can undo a stack of tiny phillips head screws, even ignoring the fact RAM doesn't wipe instantly...

Sorry - READER fail!!

2
0
Boffin

You don't have to remove the battery silly

Just cold-reboot.

1
0

So Wibble, I choose security and low cost, what are my options clever clogs? :D

0
0

TrueCrypt and power-down the machine before leaving the room (especially to answer the door) or if there are any sounds of someone trying to break in.

2
0
Boffin

powered down

you'd be surprised how much memory content can be found on a powered down machine.

I remember the old sun U10 sparc boxes. If you had one with en elite3D graphcal card in it, and powered down the machine when it was still displaying the Xsun / X-windows system (say when you had a powerfail), then when powering the machine back on the first thing you would see would be the contents of the framebuffer at the time the machine was powered off.

Tried this once before moving a machine to another office

Machine was powered off for a weekend, plugged back into a different office, and the first thing we saw when powering on the machine was the screen as it was when powered down .

It didnt last long, because the sun openboot prom screen dump would start to write and would erase the previous screen.

My point ?

If you really are worried and paranoid, just powering down your machine everytime the doorbell rings wont be good enough.

I would suggest doing what they did in cryptonomicon, and have a big electromagnet built into your doorposts (ok, maybe not practically possible:

http://community.discovery.com/eve/forums/a/tpc/f/7501919888/m/5601987789/inc/1

)

1
1

Or just ensure your POST is set to do a full RAM test and reboot instead of powering off.

1
0
Happy

@ b166er

Easy...switch it off, and unplug the LAN. Cheap and bloody secure.

0
0
Anonymous Coward

@b166er

Well, if you're sticking to Mac:

Disk Utility > New Image > 256-bit AES encryption

Leave it on your desktop. Double click to use. Drag to trash to close. Email it, dropbox it, whatever.

Also works on Linux and Windows but not quite so straightforward.

And when I say "works" I mean that the disk image is OS agnostic, not just that you can use the same technique.

Secure and free. Oh, and ease of use.

1
0
Silver badge

low cost security

Araldite in the firewire port?

4
0
Boffin

TrueCrypt

I don't know of a common encryption system that isn't vulnerable if the password has been entered and the machine is still on, but TrueCrypt is a great option still. For one, they're aware of this RAM issue, and they actively wipe the RAM that contained the valid decryption key when you properly unmount a TrueCrypt volume or shutdown. Therefore, if you want security, just unmount your volume or shutdown the system properly (don't yank the plug). You're safe. As for decrypting a TrueCrypt volume, they may be referring to the same type of RAM vulnerability to do so. I doubt their rainbow tables or dictionary attacks will work against a TrueCrypt volume with a decently long password (15+ chars) and a keyfile or two. Rainbow tables used to crack WEP were several TB in size.

3
0

@Gerhard den Hollander

If I remember correctly, I read an article some 3 years back or so on the Register detailing how easy it was to capture in-memory contents of a recently powered down computer. It went something like:

1. Remove memory.

2. Whip out can of compressed air.

3. Turn can of compressed air upside-down.

4. Blast memory with freezing liquid.

5. You have a suprising amount of time (several minutes, if I remember correctly) to hook up the memory and read it's contents.

0
1
Silver badge

@Bjorg

I think you'll find the memory needs to be hit with something nearer liquid nitrogen (though possibly not too cold as to fuck the component) in situ and was somewhat of a contrived result. By the time you've released the cover to access the memory I'd say the window has closed. Also, see the earlier comments on Truecrypt and the memory location used to store the key.

0
0

This post has been deleted by its author

Boffin

Contents of memory....

can indeed persist for a short time after power-off, especially if low temperatures are involved.

However, this is easily mitigated by selecting one of the following options:

* Dismount Truecrypt volume

* Hit reset button

* Force power cycle

2
0
FAIL

the 21st century equivalent of

looking over someone's shoulder when they type in their password.

not suitably impressed at all.

3
0
Anonymous Coward

Way to generate clicks, Register...

So this firm is able to bypass encryption on Apple, Windows and at least a couple of the most popular independent schemes. But according to the headline it is an Apple problem.

4
2
Holmes

Without saying that, since it mentions BitLocker, we'd just get the bleating "You mentioned BitLocker! Windoze r teh carp! Get Appul it r saef from everything!111oneoneone"

By mentioningup front that it is a problem that can also affect Apple systems, it avoids that style of reply, instead hitting the "Y U NO LOVE MACS" style rpely.

3
0
Anonymous Coward

@Lockwood

Heads-up, woody: Mac (not MAC) users, generally, can spell and know, when necessary, how to invoke the spell-check function built into the system.

0
7
Coat

Headline

The headline is that FileVault was the most recent "feature" added to this software, finally catching up to 2005 known vulns. It already supported some methods of decrypting BitLocker and TrueCrypt.

1
0
Headmaster

"Mac users, generally, can spell"

I disagree. Those that use equipment from the church of the fruit are just as appalling as everyone else when it comes to spelling and grammar. They just make it look prettier.

A comment on your sentence, though: it is poorly-formed and contains too many commas. Maybe you should leave picking fault with others' English (overlooking the fact that in the OP it was deliberate) to more intelligent individuals?

1
0
JDX
Gold badge
Facepalm

encryption keys ... cannot be extracted unless machines are turned on.

Gosh.

4
0
Silver badge
Big Brother

Setec Astronomy ...

2
0
Anonymous Coward

Some REAL News Here

Anon listening in to FBI and SY telephone calls:

http://www.spiegel.de/netzwelt/web/0,1518,813224,00.html

(use google translate to get an english version)

0
1
Anonymous Coward

FBI and SY phone call

http://www.youtube.com/watch?feature=player_embedded&v=pl3spwzUZfQ

0
0
Anonymous Coward

REG is losing all credibility

No one with one iota of Tech skill woks at The Register anymore. How many times has this "made up spon doctoring" story been republished since 2002 or so? The mind boggles at how this blatent attempt of marketing redrumming up of interest again again in a blatent PR campaign is swallowed up gullible hook line and sinker by el reg and regurgated as a story time and time again. Emphasis on "story"!

1
1
Coffee/keyboard

Sounds a bit angry!

Here, try these suggestions:-

1. Hit or kick something so hard you hurt yourself

2. Think of something else

3. Have sex?

Hope that helps

1
0
Anonymous Coward

I was surprised!

It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)

0
4

From the Passware website

http://www.lostpassword.com/hdd-decryption.htm

NOTE: If the target computer is turned off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

1
0
JDX
Gold badge

re:It's normally MS software that has security flaws

>>It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)

No, MS put a lot more effort into finding and fixing bugs than most other companies. They also have far more people finding (deliberately or accidentally) bugs on their behalf. When was the last time anyone tried to find a way to take control of your PC through OpenOffice?!

1
0

What is the story

Old technology, tired product. The Register sucks corporate dick.

1
0
(Written by Reg staff) Gold badge

Re: What is the story

ODFO

4
0
Pint

"The Register sucks corporate dick"?

Please don't arrange a Kempf like flame today - I still have to eat

0
0

Page:

This topic is closed for new posts.