Mac OS X password recoverable from RAM?
In a recent post over at Ars Technica, they say that Mac OS X users could have their login passwords recovered through physically accessing the RAM. This comes after FileVault was proven to be cracked. The article notes that Mac OS X and certain applications store the user's password in memory, leaving it there after you've logged in. While locally-running apps cannot readily retrieve the password, someone could get access to the contents of RAM after the computer has been rebooted or shut down. This could be accomplished by physical means and might require the hacker to remove the RAM cover on your Mac and chill the RAM, as suggested by Edward Felten's research team at Princeton. This freezing allows the information to stay on the RAM for longer than the normal 2.5 to 35 seconds -- allowing someone to place it in another computer and read the contents.
In a separate approach to the password-in-RAM vulnerability, CNET witnessed an EFF demo of an attack using a custom NetBoot "EFI memory scraper" to record the RAM contents on reboot and save the data as a file on another machine over the network -- the attackers were able to clearly find the login password in the file. Again, this attack requires physical access to the machine (in order to force the NetBoot via holding down the N key on restart) within a minute or two of shutdown. However, an attacker could conceivably target a machine that was locked or sleeping (with RAM contents 'live'), power it off and back on, and use the NetBoot attack immediately.
While Apple has been made aware of the attack (notified on February 5), no fixes for these issues were reported in the 2/11 security update. According to CNET, an Apple spokesperson said they were aware of the issues and were "working to fix it in an upcoming software update." Until this update comes out, you may want to set a firmware password for your Mac, or wait longer to leave your unattended Mac after a shut down. Alternatively, we have lovely TUAW-branded tin foil hats available for purchase.
[via Ars Technica]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
ben said 11:15PM on 3-03-2008
Is this serious. Why this is of grave concern I do not know. If you have files of such importance on your Computer that it is made subject to vigilante RAM freezing to acquire your login password, you may want to find other means of securing your data other than Mac OS X's own.
Reply
XiozTzu said 11:16PM on 3-03-2008
What a joke! If they go through all that they can have all my lame files.
News alert! Hackers may be able to torture passwords out of computer users. All users of computers should drink a bottle of vodka after they create a password.
Reply
j0nkatz said 11:24PM on 3-03-2008
HA HA! This would require me to leave my MBP alone for more than a minute or two. NO GONNA HAPPEN!
Reply
ben said 11:26PM on 3-03-2008
I was reading on TUWW (The Unofficial Wallet Weblog) That muggers can violently secure your credit cards, cash, receipts, etc. from your Wallet by using threats of violence, or violence (including freezing the poor hapless SOB).
Kenneth Cole has yet to release an update to my Wallet addressing the issue.
Reply
Wheels said 11:35PM on 3-03-2008
If somebody actually bothers to do this, beats the odds and miraculously retrieves my password, they deserve it!
Was this "hack" developed by Rube Goldberg's great grandson?
Reply
Rich said 11:47PM on 3-03-2008
This isn't about a 'competition' of getting into your computer.
Companies often use laptops, laptops with important business information, possible trade secrets, employee/customer/client information, etc. They rely on disk encryption to keep this safe from people who shouldn't be getting at it.
So, there's much more at risk than someone "just" getting your password.
mattyohe said 11:39PM on 3-03-2008
Why are they going to the trouble of netbooting? What are they proving by netbooting?
Nothing!
If you have physical access you can easily reset the password to whatever you desire, and this is the case with all flavors of Windows as well.
The focus here is too much on that you can "gain access" when the actual problem is that the password is left in RAM in plaintext. This CAN leave other accounts on other systems/networks/websites vulnerable if you use the same login/password combination.
Since Spotlight searching is insanely fast these days, you could probably do MORE damage by walking up to a machine, rebooting from the OS X install disk, resetting the login password, and typing "password: kind:mail" in Spotlight.
Reply
Michael Rose said 12:08AM on 3-04-2008
If you read the CNET article you may note that the test machine was set up with FileVault. By design, getting physical access to such a machine (and resetting the admin password via a boot disk or other means) should NOT provide access to the encrypted contents of the home directory -- without that (original) login password, that data is supposed to be unreadable.
The reason this hack is of some concern is that it provides a method of retrieving the login password (and hence the FileVault key) in a relatively straightforward way via the EFI RAM copying tool. If I leave my desk -- with my machine asleep or locked -- and someone else can come in, hard-reboot it, hold down N to launch the scraper and proceed to unlock my encryption... well, despite our offer of tinfoil hats, that's really not a good situation.
matt said 11:50PM on 3-03-2008
how much are the hats?
seriously though, the hacker would have to be standing next to me with a freezer, get access to my RAM in under 35 seconds(which is a maximum, most likely it would be gone before this) move the RAM into said freezer, and then have another machine handy to do the NetBoot. If i am too stupid to not notice the freezer or bucket of ice, etc, then i probably deserve to have my password stolen.
Reply
Michael Rose said 12:09AM on 3-04-2008
Matt, perhaps Cory's phrasing was unclear -- the freezing and the EFI scraper are two separate hacks, and one does not require the other. I'll add a linebreak to make that more evident.
harrywolf said 12:23AM on 3-04-2008
What a stupid world we live in.
Its always 'business users' who have the big security issues, like their latest top secret sales figures will change the world.
Get over yourselves - its idiotic to be so paranoid about information.
Hows this: I could not give a flying **** about all this security nonsense - its gone way too far.
Just shut up, all you special 'business' types, with your Blackberries, your 'push' email (got to have it 10 seconds before its sent etc.) and your ugly haircuts, your 50's suits, your crap right-wing politics and your nasty Earth-damaging ways.
You make me PUKE, you conformist robots.
And BTW, what ever happened to Windows, the leakiest, most insecure OS this side of the Planet Zargon?
Oh right, its the darling of the idiot 'business' crowd, on whom we all depend for our survival - NOT.
Get a real job - grow some vegetables.
Freeze the frickin ram indeed.
Reply
AlMeister said 3:16PM on 3-04-2008
LOL! Preach it brother! That has got to be one of the best postings I've ever seen here! I'm putting your line about conformist robots in my email sig...
robogobo said 8:58PM on 3-04-2008
go girl.
jeffiel said 12:52AM on 3-04-2008
Grow some vegetables, awesome.
Reply
Will said 1:09AM on 3-04-2008
Maybe I'm missing something but why retrieve the password when you could just change it with an install disk. Unless something has changed in Leopard but the last several versions off OS X allowed you to do this. Though like I said I could have comepletely missed the poing here...
Reply
modalyodel said 1:35AM on 3-04-2008
Be more imaginative. If I change the password on your computer, the next time you try to login, you'll notice that the password stopped working. You might become suspicious from this alone; you may change the password to something else.
However, if I manage to grab your password without changing it, you probably won't notice a thing. I continue to have access to your computer as I please, possibly even remotely depending on your setup, without having to install a trojan or other piece of software.
Will said 1:13AM on 3-04-2008
Apparently, I also missed the spellcheck...
Reply
Will said 2:07AM on 3-04-2008
@ modalyodel
Ah I see, fair enough. I was coming from the perspective that the computer was already taken and no longer in your possession.
Louise said 7:57AM on 3-04-2008
All that work to get my passwords is absolutely ridiculous! But it is obviously a concern. In order to even get passwords from Mac OS X you have to physically get access to the computer itself so why not beat your ‘potentially infuriated ex’ to the chase by using a online password manager? They might have harder time freezing the server ; )
online vs offline password managers:
http://tinyurl.com/3ba3et
Louise Vinciguerra (PassPack)
Reply
StrangerThanFiction said 8:11AM on 3-04-2008
Well to start the firmware password is a joke! It can be reset by removing the RAM. 2nd if you have an OS X disk and you start the installation there is a neat little utility that allows you to reset the password. Unless of course you have FileVault turned on. Then you need to proceed with this modified EFI file. So until Apple fixes this I would stick to the tin foil hat boys.
Reply