14 DAY TRIAL // They say Macs are safer than Windows PCs, but Apple’s devices have their own share of vulnerabilities that can be exploited by hackers to seize full control of the systems.
This is exactly what Swedish security expert Ulf Frisk demonstrates with a new device that can steal the password from virtually any Mac that’s sleeping or locked.
Frisk explains that it costs approximately $300 to build a hacking device that can be connected to a Mac via the Thunderbolt port - the method hasn’t been tested on Macs with USB Type-C, but there’s a good chance that it still works, especially because the flaw resides in FileVault2.
Password stored in clear text in memory
Specifically, the vulnerability that makes this hack possible exposes the Mac to Direct Memory Access (DMA) exploits because it allows Thunderbolt devices to read and write memory. The password to the encrypted disk is stored in clear text in memory, even when locked, and when the system reboots, it is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.
There are a few seconds while rebooting the system when the password remains available before it is overwritten with new content, and this is when Frisk’s device can steal it.
Hackers only need to connect the special device to the Thunderbolt port and another laptop, force reboot the Mac, and then wait until the password is displayed on the secondary PC. This means that physical access to a Mac is required.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!” Frisk explains.
The good thing is that Apple has already fixed the patch in macOS 10.12.2, so what you need to do is update the device to the latest OS version and you should be safe. Until the very next vulnerability, at least.
