back to article Apple FileVault cracked in under an hour by forensics biz

Apple's FileVault disk encryption can be circumvented in less than an hour, according to a computer forensics firm. Passware claims the latest version of its toolkit (Passware Kit Forensic v11.3) can also unlock volumes encrypted using TrueCrypt, a disk encryption software that ranks alongside PGP as the choice of privacy- …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Apple FileVault cracked?

    The headline seems a bit misleading. Unless I misunderstood the article, this isn't about cracking the encryption, but exploiting other weaknesses (while the machine is running) to obtain passwords. They are very different objectives. Or are they saying they can crack the encryption easily even when the machine has been turned off?

    1. Chris 3

      Also slightly confused by why we are concentrating on Apple

      Is it significantly easier to crack than TrueCrypt? the article didn't appear to say.

      1. Anonymous Coward
        Anonymous Coward

        The real story here is FireWire

        ...and direct memory access. These guys commercialized this one particular exploit, but there are other things you can do with it IIRC.

        Also, doesn't Thunderbolt provide DMA too? I thought I heard that it did but could be wrong.

  2. Wibble
    Gimp

    Proving the old adage...

    Security. Ease of use. Low cost.

    Pick any two.

    1. ratfox

      Optimistic

      Pick only one.

    2. Doug 1

      Its accutally "Cheap Fast Good", but close enough.

  3. zb

    Well-heeled blackhats prepared to fork out $1,000 ...

    Whether they need to pay will depend on how good Passware's own security is. i wonder how long before a crack is available.

  4. Ogi
    Meh

    Not New...

    Reading RAM contents from the FW port was demo'd what, back in 05? Earlier? So long ago I don't actually remember anymore....

    Used to be that you could use a FW Ipod running Linux to just plug into a machine and have it alter the machines RAM contents, allowing you to logon without a password, read encryption keys etc... all the while looking totally innocuous to anyone around you.

    This technique is no longer as useful as back then, as modern processors implement an IOMMU, which prevents anything attached to a bus from using DMA to access the entire RAMspace, thwarting this attack vector.

    You could argue that these guys packaged it nicely in a GUI and made it available for purchase to the general public, but I don't think they are the first at that either (I seem to remember outfits springing out offering this tech about a year after it was demo'd). I'm guessing it has to do with Apple, so is news?

    1. Frumious Bandersnatch

      reading passwords with debug is even earlier

      The first password hacking I ever tried was to extract netbios (iirc) login passwords from memory with debug on IBM PS/2s. Must have been in the late 80's. It turned out to be surprisingly easy as the password often remained in memory even after the user had logged out. Security was a bit of a joke back then, though, and there wasn't much practical use for the networking except to play snipes.

  5. The Fuzzy Wotnot
    Happy

    "privacy-conscious computer users, human rights activists and others"

    The modern equivalent of the top-of-the-wardrobe or under-the-matress you mean?!

  6. Anonymous Coward
    Anonymous Coward

    Right

    So to use this you need to get the user to actually log into the box and put in the password for the encrypted volumes, then you crack where that's stored in memory?

    How useful is that really as an attack vector, or in forensics?

    1. Anonymous Coward
      Anonymous Coward

      IIRC

      A leaked writeup from HB Gary went over this as an attack vector and panned it. FireWire devices aren't ubiquitous like USB, so you'd almost have to wait for your target to leave the machine running and unattended, then you'd have to go plug into it - which is risky.

      1. Crazy Operations Guy

        I've seen this done at a bank

        I was working with some other people on Security Assessment of a bank. At the branch, there were desks with computer sitting on top of them with the back of the computer facing the customer.

        So my colleague went to sit down and at the loan officer's desk with the officer on the other side of desk, posing as a customer wanting a loan. At the beginning of the conversation, he set down his briefcase and with a slight-of-hand pulled cable from the briefcase and plugged it into one of the Fire wire ports on the back of the machine and copied the contents of the computer's RAM while the loan officer talked about different loan options and filling out paperwork.

        The following day we presented baking details on several customers (SSNs, Home addresses, bank balances and account numbers, credit rating, and more) and the logon passwords to their database servers, internal websites and special third-party web applications (credit scores, Credit-card issuance websites and account management sites for partner banks).

        All this from only one person spending 45-minutes at the bank with a laptop and a 1-meter Firewire cable. Analysis took him about 48 hours to complete on his mediocre laptop. Shortly afterwards the bank shut down for a day to remove all firewire cards, header cables and filled the on-board ports with non-conductive epoxy.

        1. Richard Taylor 2

          Out of interest,

          Even if you can not name the bank, what hardware were they running which had firewire ports exposed at the back? And which physical standard?

          1. This post has been deleted by its author

        2. Dan 55 Silver badge

          I'm confused...

          "The following day we presented baking details on several customers [...] Analysis took him about 48 hours to complete on his mediocre laptop."

          Was it less than 24 hours or 48 hours?

  7. Anonymous Coward
    FAIL

    Shoddy Journalism

    All they do is to exploit a weak FireWire implementation of Apple on *running* Macs. If you rip out battery and power cable before the cops break through your door this tool will do exactly nothing.

    That a REGFAIL.

    1. Ammaross Danan
      Coat

      RAM

      RAM contents have a decay period. When you power up a computer normally, RAM registers are reset to zero automatically, since they may contain latent data. If you take a RAM stick and stuff it in a device that is designed not to do this, you may be able to read the contents if you're quick enough.

      Therefore, REGFAIL for not explaining such, and YOUFAIL for not reading up first. :)

    2. Chet Mannly

      Sure

      Unless of course you have a Mac with an unremovable battery, like the Macbook Pro I'm typing this on, oh and virtually EVERY notebook Apple makes now.

      Police can kick the door in much faster than you can undo a stack of tiny phillips head screws, even ignoring the fact RAM doesn't wipe instantly...

      Sorry - READER fail!!

      1. SYNTAX__ERROR
        Boffin

        You don't have to remove the battery silly

        Just cold-reboot.

  8. b166er

    So Wibble, I choose security and low cost, what are my options clever clogs? :D

    1. GettinSadda

      TrueCrypt and power-down the machine before leaving the room (especially to answer the door) or if there are any sounds of someone trying to break in.

      1. Gerhard den Hollander
        Boffin

        powered down

        you'd be surprised how much memory content can be found on a powered down machine.

        I remember the old sun U10 sparc boxes. If you had one with en elite3D graphcal card in it, and powered down the machine when it was still displaying the Xsun / X-windows system (say when you had a powerfail), then when powering the machine back on the first thing you would see would be the contents of the framebuffer at the time the machine was powered off.

        Tried this once before moving a machine to another office

        Machine was powered off for a weekend, plugged back into a different office, and the first thing we saw when powering on the machine was the screen as it was when powered down .

        It didnt last long, because the sun openboot prom screen dump would start to write and would erase the previous screen.

        My point ?

        If you really are worried and paranoid, just powering down your machine everytime the doorbell rings wont be good enough.

        I would suggest doing what they did in cryptonomicon, and have a big electromagnet built into your doorposts (ok, maybe not practically possible:

        http://community.discovery.com/eve/forums/a/tpc/f/7501919888/m/5601987789/inc/1

        )

        1. GettinSadda

          Or just ensure your POST is set to do a full RAM test and reboot instead of powering off.

        2. Bjorg

          @Gerhard den Hollander

          If I remember correctly, I read an article some 3 years back or so on the Register detailing how easy it was to capture in-memory contents of a recently powered down computer. It went something like:

          1. Remove memory.

          2. Whip out can of compressed air.

          3. Turn can of compressed air upside-down.

          4. Blast memory with freezing liquid.

          5. You have a suprising amount of time (several minutes, if I remember correctly) to hook up the memory and read it's contents.

          1. Mark 65

            @Bjorg

            I think you'll find the memory needs to be hit with something nearer liquid nitrogen (though possibly not too cold as to fuck the component) in situ and was somewhat of a contrived result. By the time you've released the cover to access the memory I'd say the window has closed. Also, see the earlier comments on Truecrypt and the memory location used to store the key.

            1. This post has been deleted by its author

            2. SYNTAX__ERROR
              Boffin

              Contents of memory....

              can indeed persist for a short time after power-off, especially if low temperatures are involved.

              However, this is easily mitigated by selecting one of the following options:

              * Dismount Truecrypt volume

              * Hit reset button

              * Force power cycle

    2. Silverburn
      Happy

      @ b166er

      Easy...switch it off, and unplug the LAN. Cheap and bloody secure.

    3. Anonymous Coward
      Anonymous Coward

      @b166er

      Well, if you're sticking to Mac:

      Disk Utility > New Image > 256-bit AES encryption

      Leave it on your desktop. Double click to use. Drag to trash to close. Email it, dropbox it, whatever.

      Also works on Linux and Windows but not quite so straightforward.

      And when I say "works" I mean that the disk image is OS agnostic, not just that you can use the same technique.

      Secure and free. Oh, and ease of use.

    4. Phil O'Sophical Silver badge

      low cost security

      Araldite in the firewire port?

    5. Ammaross Danan
      Boffin

      TrueCrypt

      I don't know of a common encryption system that isn't vulnerable if the password has been entered and the machine is still on, but TrueCrypt is a great option still. For one, they're aware of this RAM issue, and they actively wipe the RAM that contained the valid decryption key when you properly unmount a TrueCrypt volume or shutdown. Therefore, if you want security, just unmount your volume or shutdown the system properly (don't yank the plug). You're safe. As for decrypting a TrueCrypt volume, they may be referring to the same type of RAM vulnerability to do so. I doubt their rainbow tables or dictionary attacks will work against a TrueCrypt volume with a decently long password (15+ chars) and a keyfile or two. Rainbow tables used to crack WEP were several TB in size.

  9. Danington the Third
    FAIL

    the 21st century equivalent of

    looking over someone's shoulder when they type in their password.

    not suitably impressed at all.

  10. Anonymous Coward
    Anonymous Coward

    Way to generate clicks, Register...

    So this firm is able to bypass encryption on Apple, Windows and at least a couple of the most popular independent schemes. But according to the headline it is an Apple problem.

    1. Lockwood
      Holmes

      Without saying that, since it mentions BitLocker, we'd just get the bleating "You mentioned BitLocker! Windoze r teh carp! Get Appul it r saef from everything!111oneoneone"

      By mentioningup front that it is a problem that can also affect Apple systems, it avoids that style of reply, instead hitting the "Y U NO LOVE MACS" style rpely.

      1. Anonymous Coward
        Anonymous Coward

        @Lockwood

        Heads-up, woody: Mac (not MAC) users, generally, can spell and know, when necessary, how to invoke the spell-check function built into the system.

        1. SYNTAX__ERROR
          Headmaster

          "Mac users, generally, can spell"

          I disagree. Those that use equipment from the church of the fruit are just as appalling as everyone else when it comes to spelling and grammar. They just make it look prettier.

          A comment on your sentence, though: it is poorly-formed and contains too many commas. Maybe you should leave picking fault with others' English (overlooking the fact that in the OP it was deliberate) to more intelligent individuals?

    2. Ammaross Danan
      Coat

      Headline

      The headline is that FileVault was the most recent "feature" added to this software, finally catching up to 2005 known vulns. It already supported some methods of decrypting BitLocker and TrueCrypt.

  11. JDX Gold badge
    Facepalm

    encryption keys ... cannot be extracted unless machines are turned on.

    Gosh.

  12. Velv
    Big Brother

    Setec Astronomy ...

  13. Anonymous Coward
    Anonymous Coward

    Some REAL News Here

    Anon listening in to FBI and SY telephone calls:

    http://www.spiegel.de/netzwelt/web/0,1518,813224,00.html

    (use google translate to get an english version)

  14. Anonymous Coward
    Anonymous Coward

    FBI and SY phone call

    http://www.youtube.com/watch?feature=player_embedded&v=pl3spwzUZfQ

  15. Anonymous Coward
    Anonymous Coward

    REG is losing all credibility

    No one with one iota of Tech skill woks at The Register anymore. How many times has this "made up spon doctoring" story been republished since 2002 or so? The mind boggles at how this blatent attempt of marketing redrumming up of interest again again in a blatent PR campaign is swallowed up gullible hook line and sinker by el reg and regurgated as a story time and time again. Emphasis on "story"!

    1. Mr Young
      Coffee/keyboard

      Sounds a bit angry!

      Here, try these suggestions:-

      1. Hit or kick something so hard you hurt yourself

      2. Think of something else

      3. Have sex?

      Hope that helps

  16. Anonymous Coward
    Anonymous Coward

    I was surprised!

    It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)

  17. JSHello

    From the Passware website

    http://www.lostpassword.com/hdd-decryption.htm

    NOTE: If the target computer is turned off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

  18. JDX Gold badge

    re:It's normally MS software that has security flaws

    >>It's normally MS software that has security flaws (and big ones too, judging by the number of patches!)

    No, MS put a lot more effort into finding and fixing bugs than most other companies. They also have far more people finding (deliberately or accidentally) bugs on their behalf. When was the last time anyone tried to find a way to take control of your PC through OpenOffice?!

  19. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: What is the story

      ODFO

  20. Mr Young
    Pint

    "The Register sucks corporate dick"?

    Please don't arrange a Kempf like flame today - I still have to eat

  21. ZenCoder
    Mushroom

    Valid concern

    Yes this has been proven possible for quite some time, but now its not only possible but quick and easy, and probably soon to be available on the pirate bay for the black hats who won't pay for software.

  22. Anonymous Coward
    Anonymous Coward

    SImple Solution

    Build some strong portable electromagnets. Train on your own system, wipe it clean, see how fast you can wipe it and get out. Use Stargate SG-1 as an example. Where "the trust" is nuking their computers and getting ready to beam out. Forget the beaming out, look at the style of wiping...

  23. Alan Edwards
    FAIL

    A non-issue

    I was interested from the perspective of cracking TrueCrypt. If you know what you're doing, this will never crack TrueCrypt:

    1) TrueCrypt automatically dismounts volumes when you lock, log off, suspend or hibernate

    2) There is also an inactivity timeout dismount option

    3) It appears to not know about key files. It can beat on a Truecrypt volume with a single letter password and a key file until the universe explodes, without the key file it will never decrypt it.

This topic is closed for new posts.

Other stories you might like