• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Hacking Apple Mac encryption password in Just 30 Seconds with PCILeech device

Hacking Apple Mac encryption password in Just 30 Seconds with PCILeech device

Pierluigi Paganini December 17, 2016

A hacker devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The Swedish hacker and penetration tester Ulf Frisk has devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.

The device is able to steal the password from virtually any Mac laptop while it is sleeping or even locked. The process is very fast, in just 30 seconds hackers can unlock any Mac computer and even decrypt the files on its hard drive.

The security expert devised a technique that leverage on two designing flaws he discovered in Apple’s FileVault2 full-disk encryption software.

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac.” wrote the researcher in a blog post. “The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.”

“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.”

The first issue is the lack of protection against Direct Memory Access (DMA) attacks before macOS is started. The expert noticed that the Mac EFI or Extensible Firmware Interface let devices plugged in over Thunderbolt to access memory without enabling DMA protections. This means that Thunderbolt devices have a read and write access to the memory.

The second issue is the storage of password to the FileVault encrypted disk in clear text in memory, even when the computer is in sleep mode or locked.

“The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.” continues the analysis.

The PCILeech device is able to automate DMA attacks and extract Mac FileVault2 passwords stored in clear text in the device memory.

In the attack scenario, ill-intentioned accesses to a target Mac computer and connects the PCILeech hacking device to the computer via the Thunderbolt port.

Frisk shared a video PoC of the attack that shows how to hack a computer by plugging in a card flashed with a open source PCILeech software tool into the Mac’s Thunderbolt port.

In the video it possible to see that once connected the PCILeech device on the target Mac or MackBook, it is necessary to reboot the system in order to read the Mac password on the other laptop.

The attack takes is just 30 seconds to carry out successfully.

“Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!”

The expert reported the results of his research to Apple in August that fixed the issues in Mac OS 10.12.2 released this week.

Don’t waste time, update you MAC asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PCILeech, hacking)


facebook linkedin twitter

Apple DMA Hacking Mac PCILeech

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT