back to article Kit steals Mac login passwords through FireWire port

A California software maker has released a program that quickly recovers login passwords from Macs, even when running Apple's completely overhauled OS X Lion, that have been locked, put into sleep mode, or have FileVault disk encryption turned on. Passware Kit Forensic v11 works by capturing a Mac's computer memory over …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Facepalm

    Superglue

    Time to use that tried and trusted enterprise security method that also works for USB ports.

    Honestly, which security oblivious idiot would build in DMA in a port? Oh yes, it was developed by Apple.

    I'm sure Jobs only ended up choosing to base Mac OS X on NeXT and base NeXT on BSD because of the licence. Lucky for him.

    1. Robert Synnott

      RE: Superglue

      There are a number of other external bus mastering interfaces out there, notably eSATA, Thunderbolt/Light Peak, and newer PCMCIA and its successors (including Compact Flash). This is by not any means solely an Apple issue, though for the moment Apple is the only manufacturer besides Sony who generally has these sorts of ports on non-laptop devices.

      1. Blain Hamon
        Boffin

        Turning off DMA?

        http://manuals.info.apple.com/en_US/Leopard_Security_Config_2nd_Ed.pdf (Page 48)

        Turns out, as of Leopard or possibly before (So, what, 2007?) setting a firmware password will turn off DMA access for firewire and other external devices. So while this attack is possible by default, it's not as if this issue hasn't already been addressed years ago.

        Heck, you can disable the ports via firmware. So save yourself the superglue.

        1. Dan 55 Silver badge

          Insecure by default unless you know about the problem and find the setting

          So that would place Apple back at about XP SP1 in Microsoft's security terms.

          (And indeed most of the options in the security preferences are off by default in a new installation.)

    2. Anonymous Coward
      Anonymous Coward

      re: Superglue

      A proper corporate environment will have it's ports disabled by software - you can remove superglue with acetone. You've been able to disable USB ports on Windows since USB was supported (in the NT line) just by changing the access permissions on the USB DLL.

  2. MartinTurner

    So that means…

    So that means that you can steal passwords from people's machines… unless they are security conscious enough to have them password protected.

    1. Stevie

      Er...

      I *think* it means that should you be important enough, someone could get at your creds by switching out your firewire connection with a custom-made one c/w small chip o' cleverness built in and rifling your mac while you blithely type in the passwords you need to get into your own machine.

      1. Robert Synnott

        RE: Er...

        Nope; that would be a rather more basic attack which works on any perhipheral interface. The issue here is that on devices with a bus-mastering interface such as Firewire, Thunderbolt/Light Peak or eSATA, an attacker can simply read the machine's memory by plugging something in; there's rarely any security here because bus-mastering was originally intended for presumed-safe internal devices (and it's unclear how such security would work, anyway).

        Bottom line; if someone getting access to an important machine while on and unattended is an issue for you, disable these interfaces.

        1. Anonymous Coward
          Anonymous Coward

          I may be missing something ..

          but why doesn't Mac OSX use salted hashed passwords?

          1. Tomato42
            Boffin

            Re: I may be missing something

            Because it keeps them in memory, to decrypt HDD. To be secure from such attack you'd need to use hardware tokens.

            1. Chemist

              What !

              It keeps plain text passwords in memory - good grief !

  3. Stevie

    Bah!

    Gentlemen, start your engines!

  4. Michael 5
    Megaphone

    Yet another free Advert Campaign

    Before your get your bangers on... know this... the same kit also applies to Windows. Its an age old issue. In simple terms.... worded in such a way as to get free advert from the blog-sphere.

    1. Paul Crawford Silver badge

      @Michael 5

      It is a basic flaw in the design of FireWire that allows it to become in effect bus master to go anywhere in memory by virtue of DMA. It was covered some years ago on El Reg.

      Things like ASLR make it slightly harder, and how much caching of passwords your OS performs alter the ease of attacking, but essentially it will also apply to all OS on any machine with FireWire that an attacker has 'local' access to.

      Having said that, a number of years ago when developing a USB device for XP, not only did I blue-screen the OS with just my dongle (using MS' own USB stack, etc) but I also succeeded in wiping the HDD's MBR and rendering the machine unbootable! Had I been interested and skilled in things black-hat, what more could I have achieved?

      So malicious access is not restricted to badly thought through (from a security perspective) peripheral hardware :(

      In general, if the attacker has got even short term physical access, you have little hope of escaping with most computers.

      1. Miek
        Linux

        shoots self in foot...

        "Had I been interested and skilled in things black-hat, what more could I have achieved?"

        A Darwin award ?

    2. david 12 Silver badge

      Does not work on Windows

      Ummm, no, Windows does not leave passwords in memory, and hasn't for years.

      Because this is only one way of recovering passwords from memory, and recovery of data from memory has been demonstrated many times by increasingly sophisticated malware.

      Writing your own application, you could choose to leave passwords in memory, but if you wrote anything in the last 10 years you would do it the correct way, and use things like SecureString or SecurePassword, CryptProtectMemory, or SecureZeroMemory.

      Even for talking to third-party cross-platform software that requires plain-text passwords, you would use reversible encryption and zero the memory immediately after, but that is not required for native Windows applications.

      1. Wize

        @david 12

        The advantages of having a system regularly hacked is you find ways to deal with problems when one level of security is breached (eg, they got in, but cant get the passwords from memory).

        Now, other operating system authors have a choice. They can incorporate these safety measures into their software, just in case. Or can sit back acting smug and wait to be robbed.

        Looks like they went for option number 2 on this one...

  5. Ogi

    Wow talk about old!

    I remember this being demo'ed back in 2004!

    For reference, when this hack came about the ipod 3G had just come out!

    It works on any OS with DMA enabled via firewire, including Linux/OSX. Used to unlock peoples WinXP machines by using the FW port. Their faces were priceless!

    Anyway, this was by design. Any bus that allows DMA (including PCI/cardbus/pcmcia) allows this hack, and it's been in use for many many years. Firewire made it easier due to the plug and play nature, but it wasn't new.

    Despite this though, we still used fw for ages (still do actually) because of it's lower overhead and it's DMA capability.

    The same thing that allows this hack allows remote DMA (accessing the contents of RAM from one machine on another remote machine). This was pretty much the preserve of infiniband supercomputers with skyhigh prices to match. The fact we could do the same thing for about 50 quid using firewire more than made up for this security hole. Built our uni cluster using this feature.

    Such a shame it never caught on as well as USB though. I hear that thunderbolt offers the same DMA features* (also being bus based interconnect) makes me happy. The idea of a 10gbit/s interconnect at consumer prices for the next cluster I build sounds awesome!

    Remember one thing about security. If your attacker has physical access that's the end, they can get in.

    *Note: Newer processors are developing what is being called an IOMMU, which will control/protect certain areas of memory from being altered or read by external devices, which should actually put a stop to these attacks. The older processors did not offer this, so were vulnerable to this attack.

    If done correctly thunderbolt will not have this security hole, while offering similar features and a lot of speed. What's not to like?

    1. IvyKing
      Headmaster

      IOMMU on SPARC for years

      While not sure about other SPARC processors, the US-IIIi had IOMMU when first shipping ca 2003. Pity that Intel took a number of years to catch up.

  6. Robert Synnott

    Or, of course...

    Disable Firewire.

    If you've a computer unattended in a physically insecure area which you're particularly worried about, then disabling any interfaces with DMA (eSATA, FireWire, some SCSI, Thunderbolt/Light Peak, PCMCIA), or at least disabling DMA on them, is probably a good idea, unless you're actually using them.

    I'm actually rather surprised that DMA is (apparently) not available on Macs when no user is logged in; I'd say that's a nightmare for driver authors.

  7. ThomH

    Story appears to contradict itself

    In Lion, turning FileVault disk encryption on has the effect of disabling automatic login. So if the latter defeats the vulnerability then, contrary to the article, the former isn't vulnerable.

    That aside, Firewire was designed when people were still very naive about security and manages to be faster than USB mainly by keeping the CPU out of the loop, so I'm not sure Apple can fix this in software. Hopefully Apple and Intel have been smarter with Thunderbolt, but we'll see.

  8. Giles Jones Gold badge

    Durrrr

    Physical ccess to the machine means all sorts of hacks are possible, regardless of OS.

    Lock your computer behind a door if you are really bothered.

    In Linux I remember getting root access without password by dropping into LILO or Grub and entering single user mode.

    1. ElReg!comments!Pierre
      WTF?

      LILO or GRUB?

      Which even-remotely-sensible system allows you to enter that sort of runlevel without asking for root auth first? I've never seen a sensitive *NIX system that could be rebooted by anyone but root (appart from pulling the plug, but then you'd need the root password to boot, shirley).

      1. Duncan Macdonald

        Password recovery

        One of the common uses of single user login is to recover from the case where the superuser (root) password has been forgotten. Almost all systems have a bypass method that requires physical access at boot time to get round the case of a lost password. As for rebooting the system - the reset button on most PCs will work fine - if not then use the power switch.

        (Even on the VAX and Alpha VMS computers (far more secure than most UNIX type systems) there was a documented method for resetting the SYSTEM password if it had been lost. It required physical access to the console of the computer and as with the LILO/GRUB methods involved modifying the boot sequence to get root access without the password.)

        1. ElReg!comments!Pierre

          Re: Password recovery

          >One of the common uses of single user login is to recover from the case where the superuser (root) password has been forgotten

          That's just sloppy. One of the common use of single user login is to perform some maintenance when something went horribly wrong with the system. If you forgot the root password and don't keep a hardcopy locked somewhere, tough luck.

          >As for rebooting the system - the reset button on most PCs will work fine - if not then use the power switch.

          Both locked.

          And even if you manage to reboot'em, most likely by yanking the cord, the machines would ask for the BIOS password (as should be, power loss or case breach should be understood as an intrusion attempt).

          And if you got that right, single user or not you would have to enter the encryption passphrase.

          And if you got that right, in single user mode they will still ask for the root password before doing anything.

          Not impossible to hack, but a bit beyond the reach of the garden-variety |-|4><05 kid I would say.

      2. Tom 38

        Stop calling me Shirley

        I've never played with any truly big iron, but every single UNIX like server I've ever used has never required a password to boot up.

        If you are at the console, you can reset the machine by interrupting power or the reset button, and getting a single user root shell is trivial:

        * 'boot -s' at boot prompt for most BSD variants

        * append 'single' to the kernel line in GRUB

        * 'linux single' at the LILO boot prompt

        * 'b -s' from the Solaris boot prompt

        * 'boot -fl s' from Tru64 boot prompt

        None of these will require a password to boot into single user mode. The point is, if you can access the machine or the machine's console, you already have full access to it.

      3. Colin Miller
        Linux

        musings

        If you start a Linux box in single-user mode, it will normally ask for the root password before letting you run any commands.

        However, on most Linux machines, if you give to kernel the parameter init=/bin/sh

        (its normally init=/bin/init)

        then the kernel will run a shell as the start process. This will let you have root access without a password. Grub/Lilo can be configured to need a password to edit the boot parameters; most distros don't set it by default.

        After starting the machine this way, it hasn't fully initialised yet, doing so is left as an exercise to the interested reader...

        If you have physical access to the machine you can just take the drives out of it, and put into another machine, unless the drive itself has the ATA password enabled.

        The worrying thing about this attack is that it leaves no trace - rebooting a machine is normally obvious when its owner comes back.

    2. ThomH

      This is quite a gaping hole though

      Summary of the article: lock down your machine all you want and in as many ways as you can, someone can still stroll along, plug in a dongle and take an image of your RAM. Furthermore, in OS X in particular they can use that image to find your password and thereby have unfettered access to everything else — though just the RAM bit is a major concern.

      1. Paul Crawford Silver badge

        @gaping hole

        Yes, but really how likely is it?

        Number of internet-based machines potentially able to reach you = billions.

        Cost of software based attack = very small.

        Chance of internet-based attacker being caught = negligible (using infected PCs, foreign jurisdiction, etc).

        Number of attackers with physical access = small.

        Cost of hardware based attack = modest.

        Chance of physical attacker being caught = significant (CCTV, fingerprints, etc).

        So for most folk who don't have anything of interest to the security services or heavy weight industrial competitors, it is not a big deal. If you do, then times are interesting...

  9. Conner_36
    FAIL

    simple solution

    set up a firmware password and nothing will get by.

    1. Duncan Macdonald

      Easy to bypass most firmware passwords

      Just use the Clear CMOS jumper (or button) on the motherboard - does require opening the system box.

    2. Loyal Commenter Silver badge

      Right up until the point

      Where you take the BIOS battery out, reboot, power down and put it back in again.

  10. jubtastic1
    Black Helicopters

    Heh

    If you've got automatic login switched on then you're not really going to be worried about a FireWire hack.

    Interesting that sleeping lions with FDE can be awoken by this though, that sounds like a hole that needs plugging, <tinfoil hat> or maybe, it's supposed to do that </tinfoil hat>

  11. James O'Shea
    FAIL

    so what we're sayin is...

    1 you must have physical access to the machine so that you can plug something into the FireWire port

    2 whoever owns that machine must be daft enough to have automatic login turned on

    Yeah. Right. Anyone who knows enough to use FileVault will have killed automatic login, and will have taken steps to ensure physical security. Anyone who is so clueless as to have automatic login running one minute after the first time they start a new Mac won't know about FileVault... and that means that if I, for example, get to their Mac with my external bootable hard drive, or my USB stick, or even one of my bootable DVDs, I _own_ their bloody machine. And I don't need to spend a penny on extra kit, I have it all sitting on my desk already.

    Sheesh.

    1. TeeCee Gold badge
      FAIL

      Re: so what we're sayin is...

      I think that you have 2 wrong!

      As far as I can make out once it's logged in it's vulnerable, regardless of the mechanism by which it came to be logged in. The reason for disabling auto-login is to ensure it doesn't login (exposing the password to capture from memory) merely from being started up. The reason it also says to turn the damned thing off rather than locking or sleeping it is to ensure that it doesn't remain logged in.

      In other words, it's all about preventing 1 by ensuring that whenever the machine is unattended its memory has no password in it to capture. The idea being that any time it has had the password used, you are quite likely to notice some miscreant stuffing something into its FW port by dint of being sat in front of it at the time.

      As it's probably impractical to shut down every time you want a coffee, the Mac security model would appear to be; "Hire a security guard to stand next to it.". That is a novel and innovative approach to login security and Apple should be commended for their ingenuity here[1].

      [1] Yes, that is sarcasm. Yes, it is the lowest form of wit. No, I don't care....

    2. Miek
      Linux

      Hey guess what?

      "1 you must have physical access to the machine so that you can plug something into the FireWire port

      2 whoever owns that machine must be daft enough to have automatic login turned on"

      I could name 50 morons that do exactly that. We have students that leave their laptops in the computer room turned on, unattended with auto-login enabled while they go off to wander around aimlessly.

  12. Anonymous Coward
    Holmes

    Clip a camera to the ceiling

    Plenty of small, self contained, battery powered video cameras on the market. Helmet cams, dash cams, spy cams, etc. Clip one to the ceiling, aim it at the keyboard, press record. Pick it up later.

    1. Trygve Henriksen
      Thumb Up

      Mind the battery run-time, though...

      Those cameras usually only have batteries that last an hour or two(at most).

      But if you get access to an office environment(maybe by working as cleaning staff) and can set it up right before people start their workday.(That new chap doing the cleaning is just so great! He comes in and cleans before we get there. He even prepares the coffee. Really should give him a bonus... )

      If there's a 'lockdown regime'(lockable screensaver that activates after a set time, maybe), the lunchbreak is also a good time to place a camera.

      (Handy for us who like to sleep late)

  13. Jim Benn
    FAIL

    HAHAHA ! this is a troll story.

    James O' Shea & Giles Jones saw the obvious. Give ME physical access to any commercial "luser" machine and you can bet your ass I can 'hack' into it. DUH!! Mac, PC, any phone, . . . Anyone who has a clue about security knows physical security is KEY. THEN comes things like forced Username/Password logins.

    Let me see, did THAT solve the problem ??? (duh)

  14. Anteaus
    Stop

    Need to rethink on security

    If anything this fiasco demonstrates that there's a need for a paradigm-change in computer security. We need to ditch the obsession with userization and passwords, and address the ways in which the system itself is fundamentally insecure.

    In this instance, a peripheral should be controlled BY the host computer. It should never be able to take control OF the host computer. The fact that it can is a massive design blunder.

    1. chr0m4t1c

      The biggest problem

      Is those big meaty peripherals that are always taking control of the computer.

      I'm not sure that having the computer take control of them would be the best solution, though.

      The BSOD would take on a whole new meaning.

  15. NomNomNom

    just carry a gun around with you

    thats the best security

    1. The Fuzzy Wotnot
      Happy

      Just what I was thinking!

      If you must carry the machine around, occasionally bark and scream at invisible people. Also Stare maniaclly at anyone who comes near you, they'll soon get the message to leave you and your stuff alone! It works for the local Winos, they shout and bark at everyone they aee and no one goes near them!

      1. Paul Crawford Silver badge
        Happy

        @Just what I was thinking!

        A cunning suggestion, but I'm not sure the paper bag round a bottle of buckfast and unkempt hair would go down will with your usual Apple clientèle though.

  16. Miek
    Linux

    but but

    "Then, turn off your Mac when it's not being used instead of locking it or putting it to sleep."

    I've rarely met an apple owner that doesn't just put their computer to sleep.

    1. The Fuzzy Wotnot
      Happy

      I'm one of those!

      I can't be arsed to work out the sleep/hibernate stuff so I always shutdown, even on my MacBook!

      Yeah, it take ages longer than it should to come back but gives you time to stare into space and daydream, reflect on whether you really need to do this all important task!

  17. Robert E A Harvey
    Unhappy

    Old News

    I thought we did this one more than a year ago?

  18. Anonymous Coward
    FAIL

    Superglue?!

    Superglue is for noobs, EPOXY RESIN all the way!

  19. Anonymous Coward
    Anonymous Coward

    The Story is WRONG

    In Lion Firewire DMA is disabled when the computer is in sleep, and even when in the lock screen waiting for a password. I'd like to see this company proving they can do otherwise.

    It's getting a bit tiring to see how companies are economical with the thruth to get a ride on Apple's name. This software does the same on Windows but yet they choose to stake their claims on the Mac, a computer with less than 8% marketshare. The fact that the media laps up their story without fact checking, just to nail a bite at Apple, is just equally disgusting.

    http://www.loopinsight.com/2011/07/26/lion-firewire-security-issue-misleading/

    1. sabroni Silver badge

      To quote the article you link to..

      >>FireWire is secure until you enter your password, I’ve been told.<<

      Great. Any references for that piece of info or do we just trust it?

      Also, see post from david 12 above. Seems to indicate that Windows doesn't have the same "passwords stored in memory in plain text" problem that Lion does.... (admittedly just as dubious as your article with regards to references, but he sounds like he knows what he's talking about rather than going "some bloke told me....")

    2. Mike G
      Facepalm

      apple tinted visor

      It's also a bit tiring how apple fanbois cry every time apple get criticised

      1. Anonymous Coward
        Meh

        @Mike G

        Well just imagine how empty your life would be if you didn't have the excitement of mocking the Apple crowd in public forums, eh?

    3. Anonymous Coward
      Anonymous Coward

      Sources

      At least that article's sources don't have a vested interest in selling you their $995 product. Not sure which ones are better.

      It's well known that even previous versions of OSX disable Firewire DMA if you set a Open Firmware password, so it's perfectly acceptable to think that Apple went further in Lion and and does the same when the system is in sleep or waiting for a password.

      Until the original developers publish proof - not just their press release - of their accomplishments no ink should be poured over this matter. Problem is these days any PR piece mentioning Apple will be on main news 1 hour later, without any proper critical evaluation.

      I think anyone should stand up against potential false advertising and smearing others' efforts, whatever the operating system.

      1. sabroni Silver badge

        how to stand up

        the problem I have with what your saying is the article you linked to that defends Apple is pure speculation. In your comment you say "it's perfectly acceptable to think that Apple went further with Lion". It is, but that means nothing. It's also perfectly acceptable to think that Apple don't give a toss about security, there is some evidence that this is the case.

        If this company is wrong and firewire in Lion is more secure then that's a good thing, I'm sure we can both agree on that. But if that's the case then it's Apple's job to make it clear. The fact that you're not pointing me to a clear list of Lion features from Apple makes me doubtful. Don't Apple publish a list of changes when they upgrade the OS? Or are they so ashamed of this gaping security hole in their old products that they don't dare mention it?

  20. dssf

    Turn OFF the computer?

    Well, in doing that, there is no evidence that the hard drive was removed.

    Assume you have a GOOD backup battery or battery, and assume the machine/laptop is plugged into AC. If in suspend/hibernate/sleep you can get 24 to 90 hours of battery life if the main power goes away, then, so long as you return before the battery dies, you will know whether or not the machine was power off physically and the possibility the hard drive was deprived of power for its removal for copying/cloning/perusing.

    I leave mine suspended or screen lock so that if it IS compromized, the intruder who leaves it behind HAS to know the password and the state of my session (behind a locked screensaver) to restore it without my knowing something happened.

    Now, if my ports are compromized, and I am not protecting via the kernel, or not disabling them, that is a separate and still-real issue. Is there an easy script in the security and time-out routine to disable all peripherals ports, even the external keyboard and mouse? Maybe, and I think now I will revisit that and act on it.

    And, as for the need to obtain the password, IIRC, that is accomplished feasibly by pointing one or more RF and or microwave antenna at the keyboard in question and at the display to capture the unique RF emissions each key spews into the air. RF/IR air-scanning the LCD or CRT might be able to help pick up reflections off a nearby keyboard's finger-presses. Or, un-masked passwords can be seen right on screen.

    When riding the transit, sitting in a coffee shop, and in the company of those I will not know nor trust, I whip out my keyboard-covering oversized sheet of paper and cover my hands.

    Another thing people i see on transit doing is working on files with the file path showing up on the titlebar of the app. App developers and marketing departments not considering this need to be SLAPPED for this privacy breach. There are plenty of cases when the user should be given an ability to mask the full file name and the directory the file sits in. Sometimes, I just rename the file and move it to a very base path or in a fake name so that if anyone gleans at what I'm working on and takes to searching on the Internet, they hopefully won't find anything. But, partly that relies on app devs allowing us to mask or hide the name of the app, too, and hide references to the branding so that nosy people cannot go peruse the forums looking for the locale and help/support/suggestion submissions of users in some bid to social engineer a target. But, company marketing will seethe and hiss at providing users a way to mask the branding, and probably sayi users THAT worried need a $50-$80 privacy screen, a lid hood, or a private working area.

This topic is closed for new posts.

Other stories you might like