The Swedish hacker and penetration tester Ulf Frisk has devised a $300 device, dubbed PCILeech, that could be exploited by an attacker to gain full control of a Mac or MacBook.
The device is able to steal the password from virtually any Mac laptop while it is sleeping or even locked. The process is very fast, in just 30 seconds hackers can unlock any Mac computer and even decrypt the files on its hard drive.
The security expert devised a technique that leverage on two designing flaws he discovered in Apple’s FileVault2 full-disk encryption software.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.”
The first issue is the lack of protection against Direct Memory Access (DMA) attacks before macOS is started. The expert noticed that the Mac EFI or Extensible Firmware Interface let devices plugged in over Thunderbolt to access memory without enabling DMA protections. This means that Thunderbolt devices have a read and write access to the memory.
The second issue is the storage of password to the FileVault encrypted disk in clear text in memory, even when the computer is in sleep mode or locked.
“The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.” continues the analysis.
The PCILeech device is able to automate DMA attacks and extract Mac FileVault2 passwords stored in clear text in the device memory.
In the attack scenario, ill-intentioned accesses to a target Mac computer and connects the PCILeech hacking device to the computer via the Thunderbolt port.
Frisk shared a video PoC of the attack that shows how to hack a computer by plugging in a card flashed with a open source PCILeech software tool into the Mac’s Thunderbolt port.
In the video it possible to see that once connected the PCILeech device on the target Mac or MackBook, it is necessary to reboot the system in order to read the Mac password on the other laptop.
The attack takes is just 30 seconds to carry out successfully.
“Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!”
The expert reported the results of his research to Apple in August that fixed the issues in Mac OS 10.12.2 released this week.
Don’t waste time, update you MAC asap.
(Security Affairs – PCILeech, hacking)