Update To macOS 10.12.2 Now If You Haven’t Already, Here’s Why
Attention Mac users, if you haven’t updated your Mac to macOS 10.12.2 as yet, do it now. Here’s to why.
Security researcher Ulf Frisk has shared details of a vulnerability in Apple’s macOS platform that looks to have been patched by the Cupertino-based company with the latest macOS 10.12.2 public release. Frisk has been sitting on the vulnerability for quite some time while Apple worked behind-the-scenes to patch the issue, with it now being known that it would have been possible for anyone with a particular $300 Thunderbolt device to extract the password of an unlocked Mac running macOS 10.2.1 or below with relative ease.
The issue – which we reiterate has actually been patched and fixed by Apple with the release of macOS 10.12.2 – would have essentially allowed absolutely anyone with a specific Thunderbolt device to extract the password of a Mac machine, as long as they have actual physical access to the unlocked Mac for a brief period of time.
Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down. If the Mac is sleeping, it is still vulnerable.
Frisk further adds:
Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
Being the good, responsible security researcher and hacker that he is, Frisk had initially given information pertaining to the vulnerability directly to Apple in the hope that the company would actually fix the problem before it became common knowledge. Apple had of course asked Frisk to withhold details of the vulnerability in the meantime, but with the vulnerability now patched, he has detailed exactly how the vulnerability works.
As it stands, it was a case of exploiting how a reboot of a Mac turns off all DMA protections, but holds the password in memory for a few seconds:
The first issue is that the Mac does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. EFI which is running at this early stage enables Thunderbolt allowing malicious devices to read and write memory. At this stage macOS is not yet started. macOS resides on the encrypted disk – which must be unlocked before it can be started. Once macOS is started it will enable DMA protections by default.
The second issue is that the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.
Check out the accompanying video to see the vulnerability in action, but be thankful that Apple has taken quick and decisive action to fix the problem.