Vulnerabilities / Threats
7/29/2011
01:26 PM
Connect Directly
RSS
E-Mail
50%
50%

Mac OS X Lion Password Vulnerability: Sleep Mode

Forensic software can exploit a seven-year-old FireWire design error to snoop system memory for passwords, even for devices that are locked or in sleep mode.

Updated forensic software can steal Apple OS X login passwords in minutes, even when the devices are locked or asleep.

To be successful, however, users of the software, Passware Kit Forensic v11, must have physical access to the target Mac device, as well as a FireWire cable connection. At that point, the software can capture the password data from the Mac's memory, even on the latest version of Apple's operating system, Mac OS X Lion.

According to Passware, its $995 software kit only takes a few minutes to work. It also functions regardless of password strength, and even if FileVault encryption has been activated. Passware previously implemented the same technique to decrypt Windows hard disks encrypted with BitLocker and TrueCrypt, with software running on a USB key that is plugged into the target machine.

Interestingly, the "potential vulnerability"--as Passware described it--in Apple OS X that enables password extraction is in many ways also a documented FireWire feature. "One of the design features of FireWire, and part of what makes it attractive for professional use, is that it allows for [direct memory access], a technology used in modern computers which allows peripherals to bypass the CPU and directly read from and write to memory," said Aryeh Goretsky, a distinguished researcher at ESET, in a blog post. "Because the processor does not have to manage the data transfer, higher data rates, and lower CPU utilization can be ensured, while leaving the CPU available to perform other functions."

Security researchers first identified the underlying "FireWire design error" in 2004, he said, though it was largely ignored until an "authentication bypass attack on Windows XP and (with some modification) the then-new Windows Vista operating system," emerged in 2008.

Stealing passwords isn't all that's possible via FireWire. In February 2011, for example, "computer security firm HBGary partnered with defense contractor General Dynamics on a project named 'Task B' to install rootkits onto computers by writing them directly into a computer's memory," he said, referencing an Ars Technica story.

As a data transfer technology, FireWire has already been well eclipsed by the less expensive USB 2.0. Many Apple devices--including the MacBook and MacBook Air--now ship with no FireWire port. In fact, Apple is now putting its weight behind Thunderbolt, a connection technology that offers roughly twice the speed of USB 3.0, and 12 times the speed of FireWire 800.

For Apple computers that do have a FireWire port, and owners who fear their machines will be hacked via forensic software and an attacker who has the required physical access to the machine, here's an easy mitigation strategy: always turn off the computer instead of putting it to sleep, and deactivate the "automatic login" setting, which will prevent the computer from fully booting until a password has been entered. "This way, passwords will not be present in memory and cannot be recovered," according to Passware. Such a log-in password will already be required for any users who have activated Lion's built-in whole-disk encryption feature, FileVault 2.

Another mitigation strategy is to disable FireWire, if you have no devices that use the port, said Goretsky. "Or, even more simply, don't leave your computer alone in an unsafe location. While the chance of a password theft or rootkit injection via FireWire is likely quite low, there's a much higher probability of its being stolen the old-fashioned way."

In other Apple-related forensic software update news, on Monday, Russian forensic software maker Elcomsoft announced that its iOS Forensic Toolkit has been updated to support Windows, and includes the ability to decrypt keychain data--used to store sensitive information--for all devices running iOS 3.x, and most that run iOS 4.x, using brute-force recovery if necessary.

The iOS Forensic Toolkit can also be used to obtain an image of an iPhone, iPad, or iPod Touch device--provided the software's user has physical access to the device--and decrypt these images. As a result, it "allows one to obtain a fully usable image of the device's file system with the contents of each and every file decrypted and available for analysis," said Andrey Belenko a security researcher at Elcomsoft, in a blog post.

The update also allows for "logging of all activities occurring while the toolkit is running," he said, which was a feature requested by multiple law enforcement agency users.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.