Mac OS X password recoverable from RAM?
In a recent post over at Ars Technica, they say that Mac OS X users could have their login passwords recovered through physically accessing the RAM. This comes after FileVault was proven to be cracked. The article notes that Mac OS X and certain applications store the user's password in memory, leaving it there after you've logged in. While locally-running apps cannot readily retrieve the password, someone could get access to the contents of RAM after the computer has been rebooted or shut down. This could be accomplished by physical means and might require the hacker to remove the RAM cover on your Mac and chill the RAM, as suggested by Edward Felten's research team at Princeton. This freezing allows the information to stay on the RAM for longer than the normal 2.5 to 35 seconds -- allowing someone to place it in another computer and read the contents.
In a separate approach to the password-in-RAM vulnerability, CNET witnessed an EFF demo of an attack using a custom NetBoot "EFI memory scraper" to record the RAM contents on reboot and save the data as a file on another machine over the network -- the attackers were able to clearly find the login password in the file. Again, this attack requires physical access to the machine (in order to force the NetBoot via holding down the N key on restart) within a minute or two of shutdown. However, an attacker could conceivably target a machine that was locked or sleeping (with RAM contents 'live'), power it off and back on, and use the NetBoot attack immediately.
While Apple has been made aware of the attack (notified on February 5), no fixes for these issues were reported in the 2/11 security update. According to CNET, an Apple spokesperson said they were aware of the issues and were "working to fix it in an upcoming software update." Until this update comes out, you may want to set a firmware password for your Mac, or wait longer to leave your unattended Mac after a shut down. Alternatively, we have lovely TUAW-branded tin foil hats available for purchase.
[via Ars Technica]
Share
In a recent post over at Ars Technica, they say that Mac OS X users could have their login passwords recovered through physically accessing...
Add a Comment
correct me if I'm wrong but it seems to me that if you start somebody's machine in firewire target disc mode you can see everything that's on it regardless of whether or not they have a password set? Am I right? If so, it seems rather a hole in security!
March 05 2008 at 5:32 PM Report abuse Permalink rate up rate down ReplyDoesn't affect the Mac Pro, FB ECC ram clears at reboot :D
March 04 2008 at 10:53 AM Report abuse Permalink rate up rate down ReplyI would like to see them get the chips out of my MacBook Air and put them in another computer....
As we say in the real security industry FUD.
There's a lot of people here with little imagination. If you're using FileVault to protect your files, this is of great concern; why else would you use encryption in the first place?
What if law enforcement confiscates your mac with 80 gigs of pirated music?
What if someone found your laptop unattended, and completely bypassed the encryption, read your mail, contacts, scanned documents, messenger logs, saw pictures of your children, stole your identity and used your credit cards to purchase a set of 10,000 tinfoil hats ;) ?
FileVault is meant to protect you from these scenarios...
My "hotfix" for this problem is shut your computer down before you "get it stolen" and don't sleep it. Sure the extra 30 seconds is going to kill you but at least your government database of half the UK population will be safe.... oh sorry forgot that governments like to use non encryped methods. Then this is only really important for drug dealers to keep their shipment dates secret...
I jest of course, as we all know drug dealers still use Palms.
Well to start the firmware password is a joke! It can be reset by removing the RAM. 2nd if you have an OS X disk and you start the installation there is a neat little utility that allows you to reset the password. Unless of course you have FileVault turned on. Then you need to proceed with this modified EFI file. So until Apple fixes this I would stick to the tin foil hat boys.
March 04 2008 at 8:04 AM Report abuse Permalink rate up rate down ReplyAll that work to get my passwords is absolutely ridiculous! But it is obviously a concern. In order to even get passwords from Mac OS X you have to physically get access to the computer itself so why not beat your âpotentially infuriated exâ to the chase by using a online password manager? They might have harder time freezing the server ; )
online vs offline password managers:
http://tinyurl.com/3ba3et
Louise Vinciguerra (PassPack)
Apparently, I also missed the spellcheck...
March 04 2008 at 1:13 AM Report abuse Permalink rate up rate down Reply@ modalyodel
Ah I see, fair enough. I was coming from the perspective that the computer was already taken and no longer in your possession.
Maybe I'm missing something but why retrieve the password when you could just change it with an install disk. Unless something has changed in Leopard but the last several versions off OS X allowed you to do this. Though like I said I could have comepletely missed the poing here...
March 04 2008 at 1:08 AM Report abuse Permalink rate up rate down ReplyBe more imaginative. If I change the password on your computer, the next time you try to login, you'll notice that the password stopped working. You might become suspicious from this alone; you may change the password to something else.
However, if I manage to grab your password without changing it, you probably won't notice a thing. I continue to have access to your computer as I please, possibly even remotely depending on your setup, without having to install a trojan or other piece of software.
If I'm a power business user worried about trade secrets and client info, then I should be more worried about building security if someone can walk into my office within two minutes of me stepping away, scraping my RAM and getting onto their computer. Those types of businesses usually have better security than that. Let's all run around outside yelling "The sky is falling, the sky is falling"
March 04 2008 at 12:46 AM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Altec Lansing Octiv Duo iDock for $48 + free shipping
- Used Apple iMac 17" Core Duo 1.83GHz for $430 + $28 s&h
- Lounge Deluxe Stand for iPhone / iPod touch for $28 + $8 s&h
- Brookstone Surround-Sound Earbuds for $14 + $7 s&h
- Refurbished Skullcandy Tokidoki Smokin' Buds Mic'd Headset for $5 + $2 s&h
- Stitchway Backup Battery for iPod / iPhone for $5 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3



27 Comments