Are Macs as safe as we are led to believe? It is widely assumed that Macs, at their core, are more protected from common malware and security threats than Windows machines.
For the most part, this may still hold true, but in this age of social engineering scams and stealthy hardware hacks, the computer security landscape is changing fast.
We've seen cheap Raspberry Pi USB gadgets loaded with hacking software like Responder and PoisonTap steal login credentials and install backdoors on locked computers in a matter of seconds. All anyone needs is physical access to a workstation and it's game over.
Now, another Mac peripheral has emerged that can be used to steal passwords in just 30 seconds.
PCILeech via Thunderbolt
This new hacking technique, as demonstrated by Swedish security tester Ulf Frisk in the video below, exploits a vulnerability in how MacOS obscures the password stored for Apple's FileVault2 decryption.
The cost of this hack? Aside from the computer, scrounging up the necessary components for this technique costs about $300.
By connecting a computer and a memory card loaded with Frisk's PCILeech software to a Mac via a Thunderbolt adapter, anyone could extract its password by merely rebooting it.
According to Fisk, the hack is possible because Macs are not protected against Direct Memory Access attacks before the main operating system is started. This allows Thunderbolt devices to read and write to the memory before the macOS and its DMA protections are started.
Another issue is that the FileVault password is stored in plain text while it's in memory and it is not removed even when the disk is already decrypted. Frisk adds that even though the password is put in multiple locations, these are all within a fixed memory range.
Due to this flaw, it allows anyone with physical access to a Mac to simply connect the PCILeech components via Thunderbolt, reboot it, and wait until the password is displayed on the other computer.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the mac is completely shut down," Frisk warns.
"If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!"
Fortunately, Apple has patched this flaw in macOS 10.12.2, so update your machine to this version as soon as you can.
It is also recommended that you set a firmware level password to protect your Mac against these physical access hardware attacks.
Needless to say, another foolproof method is to never leave a computer unattended in public places.
Always remember that nowadays, all it takes is a few seconds of physical access for a hacker to compromise your machine.