Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless Until earlier this week, Apple's FileVault 2 disk encryption could be defeated in the time it takes to reboot a Mac, given a few hundred dollars in hardware and physical access to the computer. Apple on its website claims that FileVault 2 uses "XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to …
Well you could follow the link to the article (PDF hosted on GIThub) and read it there?
However, this attack is not OS-specific in that *any* machine with externally controllable DMA enabled at any time is vulnerable to having the OS and program memory read out for analysis.
In fact the UK gov security advice[1] is to try and buy machines without that feature. I guess Apple are a special case in that they control the UEFI boot loader and so are able to turn off external DMA access until the machine is booted and access is under OS control.
[1] For example https://www.ncsc.gov.uk/guidance/end-user-devices-security-guidance-ubuntu-1404-lts#risk-owners-summary
YEs, DMA attacks aren't new, they've been around since DMA was invented, but that's not what this article is about. The flaw mentioned in the article is that OS X does not sufficient protect encryption keys when the operating system is shutting down, making it vulnerable to DMA attacks.
The operating system does not overwrite the key with random data before releasing the locks on those sections of the memory so when the system reboots, its still there in memory until the kernel initializes the IO-MMU and instructs it to not allow DMA peripherals to read from that region of memory.
My MacBook Pro nicely integrates the firmware/boot password with the FileVault 2 encryption - meaning if they are the same password, I'm only prompted for this once. The reason for this is obvious: Apple expect you to use the two together. The FileVault 2 encryption without boot password protection is subject to all sorts of attack vectors. But when the EFI is Boot password protected - then you can't boot off an external thunderbolt device to use this DMA hack, or many other attacks.
That the article leaves this out is unfortunate - it means that people using Mac OS 10.10 etc. won't realise there is an option besides upgrading to 10.12.2; and worse, will lead many people to be misinformed...
Not protecting the FileVault 2 password from DBA attack is poor work on Apple's part - and it's good to know it is now fixed. But in the 'real world' this attack is going to fail on all but the most poorly configured devices.
As I read the article, having the Thunderbolt device connected at boot time suffices to enable DMA access, to boot from it does not seem neccessary. I wonder whether delaying startup continuation (and therefore, memory overwrite) by using a EFI password would actually worsen the situation.
But from the article or its links a really can not tell.
Shame Apple's security page doesn't mention it.
So I don't know if 10.12.2 has a bundled EFI update meaning you have to install the OS update to get the EFI update, you can't decide to skip it and install a later combo update as you won't get the EFI update with that.
I never understand why full details of such vulnerabilities are given so soon after a fix. I wonder how many susceptible computers have yet to be updated. In this case as physical access is required the problem is not massive but why make it easy for hackers?
The disclosure versus secrecy debate has been played out forever. If Apple said "can you please keep this secret for a year after we fix it, to make sure everyone has updated" researches might be less willing to work with them.
I think most companies would ask for an extended disclosure if it was a really nasty attack - i.e. something that was exploitable by a script kiddie from across the internet and there was no defense other than unplugging your computer from all networks. But this is pretty esoteric - really of interest only to spooks and those committing high end corporate espionage. A jealous spouse isn't likely to put together this attack to see if there's been cheating going on...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
