Hacking Apple Mac encryption password in Just 30 Seconds with PCILeech device

Pierluigi Paganini December 17, 2016

A hacker devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The Swedish hacker and penetration tester Ulf Frisk has devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The device is able to steal the password from virtually any Mac laptop while it is sleeping or even locked. The process is very fast, in just 30 seconds hackers can unlock any Mac computer and even decrypt the files on its hard drive.

The security expert devised a technique that leverage on two designing flaws he discovered in Apple’s FileVault2 full-disk encryption software.

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac.” wrote the researcher in a blog post. “The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.”

“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.”

The first issue is the lack of protection against Direct Memory Access (DMA) attacks before macOS is started. The expert noticed that the Mac EFI or Extensible Firmware Interface let devices plugged in over Thunderbolt to access memory without enabling DMA protections. This means that Thunderbolt devices have a read and write access to the memory.

The second issue is the storage of password to the FileVault encrypted disk in clear text in memory, even when the computer is in sleep mode or locked.

“The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.” continues the analysis.

The PCILeech device is able to automate DMA attacks and extract Mac FileVault2 passwords stored in clear text in the device memory.

In the attack scenario, ill-intentioned accesses to a target Mac computer and connects the PCILeech hacking device to the computer via the Thunderbolt port.

Frisk shared a video PoC of the attack that shows how to hack a computer by plugging in a card flashed with a open source PCILeech software tool into the Mac’s Thunderbolt port.

In the video it possible to see that once connected the PCILeech device on the target Mac or MackBook, it is necessary to reboot the system in order to read the Mac password on the other laptop.

The attack takes is just 30 seconds to carry out successfully.

“Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!”

The expert reported the results of his research to Apple in August that fixed the issues in Mac OS 10.12.2 released this week.

Don’t waste time, update you MAC asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PCILeech, hacking)

you might also like

leave a comment