“Yesterday’s news of Passware’s ability to decrypt FileVault-encrypted Macs in under an hour may have some people concerned about what this means for Mac security,” Topher Kessler reports for CNET.
“fter all, the purpose of encryption is to keep people from easily accessing the data on your drive, and yet Passware shows that in the hands of a capable person, your drive’s encrypted contents might quite easily be uncovered,” Kessler reports. “Security experts speculate that the 128-bit XTS-AESW encryption used in FileVault would take millions of years to crack with a brute-force approach, so while Passware’s approach clearly does not employ a brute-force option, why is it able to crack it in under an hour?”
Kessler reports, “The real issue here stems not from FileVault, but rather from an age-old criticism of FireWire technology: Direct Memory Access (DMA) through a communications port… Howerver, the chances that your system would be attacked in this way are quite slim, especially because of the requirements needed to pull off this hack.”
Read more in the full article here.
Your chances of being hacked this way are NOT slim if you are crossing an international border, especially into the USA, if you are of interest to any government. You don’t have to be involved in anything sinister to come to the attention of government, you just have to fall into one of the profiles that make them curious. If you’re serious about protecting your data with encryption, you’ll need something other than, or in addition to, FileVault.
If you power down the machine completely, e.g., not sleep, but turn it off, before going through Customs, Passware’s technique won’t work. The FileVault password has to be cached in active ram to be recovered this way.
However, you should complain to your congressional reps about border guards violating the 4th Amendment by seizing computers/iPads/iPods without probable cause and/or judicial oversight.
Complain all you want.
The U.S. Supreme Court has ruled that the customs area is a no mans land where normal rights that would require a search warrant do NOT apply. Customs agents can seize and do anything they want to your laptop/tablet/phone anytime the want as long as they seize it within the “customs zone” at any port of entry. (Note: a port of entry could be the international terminal in an airport in Ohio. It does not have to be at the border.)
Thus any bill that congress might pass and the president might sign into law against doing this would almost immediately be ruled against by the U.S. Supreme Court.
You don’t understand Supreme Court jurisprudence ruling in this area. The Supreme Court has said that the Constitution doesn’t STOP the government from doing this. In other words, Congress and the President are free to let customs agents do these kinds of searches if they (Congress and President) choose. However, that ruling would NOT invalidate additional protection being created by legislation passed by Congress and signed into law by the President.
Make sense? The Supreme Court merely said that the people can’t stop the federal government from doing this through the courts, they did NOT say that U.S. Customs is above being controlled/limited by elected officials passing laws.
This exploit requires:
• physical access to the machine
• an encrypted volume being currently mounted
• the key/password being in active ram.
Their technique is based on a well-known problem with external communication links and has nothing to do with a weakness in FileVault. Furthermore, it’s essentially impossible to completely protect a machine from an attacker that has physical access and strong software tools.
I wonder if this was designed this way for the government?
THE FACTS ABOUT THE FILEVAULT CRACK:
1) The cracker requires physical access to your Mac.
2) The Mac must be running at the time of the access.
3) The Mac must have an available FireWire port.
THE PROBLEM:
Apple stores the password to your FileVault encryption in RAM. Oops. Major DUH Factor Apple. Don’t do that.
THE WORKAROUND:
Turn OFF your Mac whenever you leave it accessible to other people. Putting it to sleep is NOT adequate.
THE SOLUTION
Until Apple prevent RAM access to your FileVault password, move along to a better whole disk encryption system.
Further details are available in my blog article about this crack at:
Mac-Security Blog
Another option: DESTROY the FireWire ports on your Mac. If FireWire doesn’t work, the crack doesn’t work.
Are you for real? The encryption keys are in RAM by definition and need to be as long as the drive is mounted. That is an inherent fact of any full disk encryption.
Not storing them in RAM means the drive cannot be kept mounted, as no access is possible any more.
By the way: All Thunderbolt Macs have an IOMMU in the CPU, so it only takes properly working drivers which shut off general DMA to the entire RAM to completely invalidate attacks through both FireWire and Thunderbolt. If there’s anything Apple would need to look at (if they haven’t already!) it’s that.
(The “freeze attack” would still be possible, but it’s quite a bit more intrusive and it cannot be done without being detected.)
Apart from shutting the machine down another option would be hibernation through a pmset command or through Smart Sleep since the machine would be completely shut down while “sleeping” as well.
By the way: All the other full disk encryption tools you’re presenting as “the solution” on your blog have the exact same vulnerability.
FileVault 2 is right up with (but not necessarily above) the others with respect to security.
Whoever consults you for security should rather put their money somewhere else – you clearly don’t know what you’re talking about.
Does that also work through the Thunderbolt interface? If not, then the MacBookAir is the answer to your security needs :o)