Security researchers managed to obtain passwords saved on the Mac while in sleep mode using a FireWire device. The issue exists in both Mac OS X "Snow Leopard" and "Lion."
It
is possible to recover user passwords from Mac systems set on sleep mode,
including running the latest version of Mac OS X "Lion," a password
recovery software vendor said.
Passware
researchers were able to recover passwords by connecting to a Mac through the
FireWire port, the company said July 26. All that the trick requires is a Mac
that has been locked, put into sleep mode or have FileVault disk encryption
turned on, Passware said.
"Long
touted as a stable and secure operating system, Mac users are cautioned that
the newest operating system has a potential vulnerability that enables password
extraction from devices running Mac OS Lion," said Dmitry Sumin, president of
Passware.
The
company said it was able to obtain passwords on Macs that were in sleep mode as
opposed to being powered off. The targeted Macs also had the "Automatic
Login" setting enabled, which is turned on by default on all Macs. The
setting means the password is resident in the computer's memory. Since FireWire
uses Direct Memory Access (DMA) to achieve fast connection speeds, anyone
connected to the system through the port has full access to the computer's
memory range, Passware said. By design, FireWire allows any device to read and
write to any other connected device.
The
passwords can be obtained even if the user installed FileVault encryption or
selected a complex and strong password. The security flaw is present in Mac OS
10.6 "Snow Leopard" and in 10.7 "Lion," according to
Passware.
Passware
released Passware Kit Forensic v11 to capture computer memory over FireWire and
extract all log-in passwords stored there within minutes. The $995 package can
even extract the passwords stored on the Mac's keychain.
The
technique is not new. Passware itself decrypted hard disks encrypted with
Microsoft's BitLocker and TrueCrypt with the same process.
Users
concerned about the threat turn off Macs when they are not being used, instead of locking them or
putting them into sleep mode, according to Passware. The other option is ot disable FireWire entirely, Sumin told eWEEK.
There
are limitations to computer security, Sumin said. "If data stored is
confidential, it is important to ensure physical security of the
computer," he said, adding that sensitive data should be encrypted.
Users should also change the default setting on the Macs to not
automatically log in when the computer starts, recommended
Mac
antivirus company Intego, which provided detailed instructions on its blog.
"Think about making this change to protect your data from easily being
grabbed by anyone who finds or steals your Mac," Intego wrote.
However, Sumin pointed out that even with "Automatic Login" turned off, when the user logs in, the password gets stored in the machine's memory. The password can still be stolen even if the computer requires users to login each time, Sumin said.
Passware
is not the only one releasing software to get past Mac defenses. Moxie
Marlinspike posted on July 25 an update to the sslsniff tool. Sslsniff allows
users to easily perform man-in-the-middle attacks against SSL/TLS connections
and now can be used to snoop on secure communications from unpatched Apple
devices.
If
left unpatched, the
SSL
issue fixed by Apple in the latest iOS update would allow attackers to
capture traffic from the vulnerable iPhone, iPad or iPod Touch, according to
Chester
Wisniewski, senior security adviser at Sophos. On the same day,
Moscow-based
Elcomsoft
also released an updated
"all-in-one"
forensic toolkit for extracting encrypted data stored on iOS devices.
Print
