Hacking Apple Mac encryption password in Just 30 Seconds with PCILeech device

A hacker devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The Swedish hacker and penetration tester Ulf Frisk has devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The device is able to steal the password from virtually any Mac laptop while it is sleeping or even locked. The process is very fast, in just 30 seconds hackers can unlock any Mac computer and even decrypt the files on its hard drive.

The security expert devised a technique that leverage on two designing flaws he discovered in Apple’s FileVault2 full-disk encryption software.

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac.” wrote the researcher in a blog post. “The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.”

“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.”

The first issue is the lack of protection against Direct Memory Access (DMA) attacks before macOS is started. The expert noticed that the Mac EFI or Extensible Firmware Interface let devices plugged in over Thunderbolt to access memory without enabling DMA protections. This means that Thunderbolt devices have a read and write access to the memory.

The second issue is the storage of password to the FileVault encrypted disk in clear text in memory, even when the computer is in sleep mode or locked.

“The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.” continues the analysis.

The PCILeech device is able to automate DMA attacks and extract Mac FileVault2 passwords stored in clear text in the device memory.

In the attack scenario, ill-intentioned accesses to a target Mac computer and connects the PCILeech hacking device to the computer via the Thunderbolt port.

Frisk shared a video PoC of the attack that shows how to hack a computer by plugging in a card flashed with a open source PCILeech software tool into the Mac’s Thunderbolt port.

In the video it possible to see that once connected the PCILeech device on the target Mac or MackBook, it is necessary to reboot the system in order to read the Mac password on the other laptop.

The attack takes is just 30 seconds to carry out successfully.

“Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!”

The expert reported the results of his research to Apple in August that fixed the issues in Mac OS 10.12.2 released this week.

Don’t waste time, update you MAC asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PCILeech, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.