Security researcher Ulf Frisk has shared details of a vulnerability in macOS 10.12.1 and lower that allowed anyone with physical access to a locked Mac to quickly and easily obtain the password simply by plugging in a $300 Thunderbolt device.
Frisk notified Apple back in August, when the company confirmed the issue and asked him to withhold details pending a fix. He reports that the vulnerability is no longer present in macOS 10.12.2, and has now explained exactly how it worked.
Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down. If the Mac is sleeping, it is still vulnerable.
Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
The reboot switches off the DMA protections, but the password is still present in memory for a few seconds – long enough for the device to search for, and retrieve, it. Watch the video below to see it in action.
The first issue is that the mac does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. EFI which is running at this early stage enables Thunderbolt allowing malicious devices to read and write memory. At this stage macOS is not yet started. macOS resides on the encrypted disk – which must be unlocked before it can be started. Once macOS is started it will enable DMA protections by default.
The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.