Network Security, Vulnerability Management

Mac password-stealing flaw patched


Got Mac? Then you are vulnerable to an attacker plugging in a device to siphon out passwords – unless you updated with the December patches.

The flaw, as explained by security researcher Ulf Frisk, allowed attackers with physical access to a Mac to plug in a $300 Thunderbolt device that was able to vacuum out passwords via macOS FileVault2 – even if the Mac was locked.

"Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!," Frisk wrote on his blog.

The researcher explained that the flaw was owing to the fact that Mac does not defend against direct memory access (DMA) attacks before macOS is turned on. EFI (extensible firmware interface), which is running at this point, enables Thunderbolt, thus allowing malicious devices to read and write memory, Frisk explained. As well, the FileVault password is stored in clear text in memory.

Frisk contacted Apple on Aug. 15 to alert them to the flaw and heard back the next day when the company requested that he hold back on releasing his findings until a fix could be issued.

The company released macOS 10.12.2 on Dec. 13. The update patches the flaw. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.