Security firm extracts Mac OS user login passwords over FireWire
OMG. Lock up your Mac now! Security firm Passware sent out a PR blast this morning noting that their $995 application Passware Kit Forensic v11 can retrieve Mac OS user login passwords, and they're saying that this "proves Mac OS Lion insecure."
The expensive app, which Passware will happily sell you for all of your forensic and password stealing needs, is used to connect a Windows machine running the software to a Mac via a FireWire connection. It can apparently "capture live Mac memory" and extracts passwords regardless of the strength of your password or use of FileVault encryption.
While Passware Kit Forensic could be extremely useful for law-enforcement and government officials, as well as network administrators in enterprises, it doesn't seem likely that a common criminal is going to purchase Passware Kit Forensic when they're much more likely to want to wipe the hard drive and sell a stolen Mac for fast cash.
Where this is a bit scary is in industrial or governmental espionage. Those are the situations where a thousand-dollar app would be chump change and the information that's stolen could make or lose billions of dollars. In those cases, Passware's president Dimitry Sumin notes "it is important to ensure physical security of the computer. One might also consider using additional encryption software."
As for the rest of us with information that isn't too important? There's an easy way to keep yourself safe -- just turn off your computer when it's not in use instead of putting it to sleep, and disable the Automatic Login setting. By doing this, passwords aren't present in memory and can't be recovered using Passware's software.
It's interesting that Passware didn't headline their press release with "Passware Proves Windows 7 Insecure..." since the same software easily retrieves passwords from that commonly used OS.
Share
Add a Comment
If you have physical access to ANY computer, its data is not secure. Yes, even Macs. When 10.5 was new, there was a bug that caused account privilege *demotion*. Of course, this bug bit me at 35,000 feet over the Pacific ocean. Since I had physical access to my Mac (and a LOT of time on my hands), I was able to "hack" my own Mac and promote my account back to Administrator. Physical access beats all, and these people are charging you $995 to learn that lesson.
July 27 2011 at 5:15 PM Report abuse Permalink rate up rate down Replyummm... hasn't this always been a bit of a flaw and security issue with FireWire as well as the Thunderbolt protocol?
"Like Firewire, the Intel-designed Thunderbolt is based on a peer-to-peer design that assigns blind trust to any device that connects through the bi-directional, dual channel interface. According to security expert Robert Graham, that gives attackers yet another ***** to exploit when targeting machines that offer the interconnect."
- http://www.theregister.co.uk/2011/02/24/thunderbolt_mac_threat/
So here is a question... for the security paranoid. Say I wanted to disable my firewire port? Anyone know the CLI, or if its even possible?
July 27 2011 at 9:35 AM Report abuse Permalink rate up rate down ReplyStick some chewing gum in the hole. :)
July 27 2011 at 9:04 PM Report abuse Permalink rate up rate down ReplyI must admit this caught my attention because I didn't expect forensic tools for Lion to come out this fast. What the company conveniently skips in the press release is that they cannot extract the OS X password if FileVault is turned on. Also they have a problem with TrueCrypt volumes if the computer has been shut down and a whole bunch of other stuff like that. On a Windows computer however, they can extract the admin password and rest anything regardless of what you do to the drive ( TrueCrypt limitation again ). So NO Lion is not broken at all plus it's not like the rest of the world though that you cannot decrypt user account passwords on a *nix machine. Yes they are stored in an encrypted file but if you can get your hands on the files this is hardly the only tool that you can use to recover the passwords.
July 27 2011 at 5:54 AM Report abuse Permalink rate up rate down ReplyMy understanding is that it's not just a forensic tool for Lion. It was written for SL and happens to still work on Lion.
July 27 2011 at 9:40 AM Report abuse Permalink rate up rate down Reply...... And if a hacker has physical access to your computer in any way your security is boned anyway.
Nothing new here about that :D
A fine article untill that last part. You just had to stoop at the end and slant Windows again even though it gives no extra value to the article. Maybe they wanted to concentrate on Lions vulnerabilities because it's a never OS and has been boasted to be "So much more secure than Windows"? Mac OS has it's problems too, even if you don't want to see it.
July 27 2011 at 2:00 AM Report abuse Permalink -2 rate up rate down ReplyMeh... No worries. Pretty much all of the Mac's security flaws only appear under less than normal circumstances.
July 26 2011 at 10:41 PM Report abuse Permalink rate up rate down ReplyWhat about enabling secure virtual memory? Does that stop it? Just wondering.
July 26 2011 at 3:55 PM Report abuse Permalink rate up rate down ReplyNot necessarily. Enabling secure virtual memory definitely helps, since it ensures that anything in memory being stored on your hard drive is encrypted. I would guess that most computer forensics software checks your system's virtual memory for this type of stuff. However, this only applies to "offline" attacks, where you're scanning a hard drive after a system has been turned off. FileVault 2 already defeats this, since your entire drive is encrypted anyway.
The vulnerability is in the fact that decryption keys for your drives, your password vaults, etc, still need to be loaded into memory in order to decrypt your data and make it useful to you. Unfortunately, there's no real way around that. If your system can't access those keys, you can't use your system. Consequently, anything that has physical access to your machine or malware running on your machine has the ability to see everything currently stored in memory, and can use that data to get access to your stuff. That's just how computers work.
Smartphones are no exception. We've all seen stories of law enforcement carrying around electronic readers that can suck down virtually all the data available within the phone, regardless if it has hardware encryption as does the iPhone 3GS and iPhone 4. Since the keys are loaded in memory whenever your phone is booted up and unlocked, your data is vulnerable if anyone can get physical access to it.
Quote from http://www.lostpassword.com/hdd-decryption.htm#imager : "Both the target computer and the computer used for acquisition have FireWire (IEEE 1394) ports." The dinosaur machines with Firewire are at least 3 years old. Since sales is booming since then we can safely say that 80% of the mac users with Lion do not have a Firewire port. So as long as this doesn't work with USB or now Thunderbolt this is a non issue for viewing on machines that should've been updated.
July 26 2011 at 3:02 PM Report abuse Permalink +1 rate up rate down ReplyI would imagine that a similar attack can be made for Thunderbolt, since it is essentially PCIe over an external wire. Thus it also allows direct memory access like Firewire.
July 26 2011 at 3:06 PM Report abuse Permalink rate up rate down ReplyMost mac models still have Firewire 800. Even the brand-new Mini has Firewire.
July 26 2011 at 3:09 PM Report abuse Permalink rate up rate down ReplyEveryone already knows Windows is insecure. That's why we're all using Macs, right?
/me takes off tinfoil hat
Deals of the Day
more deals- Acoustic Research Digital Photo Frame with iPod Dock for $50 + free shipping
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
22 Comments