Interesting video has come up, showing live demostration of cracking MacBook Pro password via Thunderbolt connectivity, as per the vulnerability the attacker can retrive the password in the plaintext in 30 seconds, thus overcoming Apple’s hard disk encryprition FileVault to access all the data.
The login password of a Mac with active FileVault disk encryption can be read by simple means via the Thunderbolt port and gives an attacker access to all data by one, as the security researcher has demonstrated Ulf Frisk .
The attacker has to connect a box for about 300 US dollars only to the Thunderbolt port and reboot the Mac, the password will be read out within about 30 seconds. This is possible due to two problems, Frisk explains: Before macOS is started, the Mac does not protect itself against DMA attacks (Direct Memory Access). Immediately after rebooting, EFI Thunderbolt devices allow memory access.
Password is in the plain text
The second problem is that the password is in the plaintext in the memory and is not automatically deleted after unlocking. As a result, after a restart, there is a time window of a few seconds to retrieve the user’s password before the memory is described with new content, the security researcher explains.
This requires physical access to the locked (or sleeping) Mac, as well as a PCI Express board and a Thunderbolt adapter. The necessary software is available to Frisk on Github for download: PCILeech includes in version 1.3 the “Mac-Password-Grabber”.
Vulnerability with macOS Sierra 10.12.2 fixed
The attack has so far only been tested against mobile Macs with Thunderbolt 2 connections. Whether it’s also working on newer USB-C models like the 2016 MacBook Pro, remains open for now. If the user uses non-ASCII characters in the password, this must first be searched manually in the memory dump.
Apple was informed in mid-August about the problem and has it with macOS 10.12.2 dispelled a few days ago – users should install the update immediately, anyway, it eliminates more than 70 other vulnerabilities.
Macs with older versions of OS-X are apparently exposed to this attack method. For “additional protection against attackers physically present” users should set a firmware password, notes the now working for Apple hackers Xeno Kovah .