Apple Macintosh Leaks Passwords Through FireWire When in Sleep Mode

Security researchers managed to obtain passwords saved on the Mac while in sleep mode using a FireWire device. The issue exists in both Mac OS X "Snow Leopard" and "Lion."

It is possible to recover user passwords from Mac systems set on sleep mode, including running the latest version of Mac OS X "Lion," a password recovery software vendor said.

Passware researchers were able to recover passwords by connecting to a Mac through the FireWire port, the company said July 26. All that the trick requires is a Mac that has been locked, put into sleep mode or have FileVault disk encryption turned on, Passware said.

"Long touted as a stable and secure operating system, Mac users are cautioned that the newest operating system has a potential vulnerability that enables password extraction from devices running Mac OS Lion," said Dmitry Sumin, president of Passware.

The company said it was able to obtain passwords on Macs that were in sleep mode as opposed to being powered off. The targeted Macs also had the "Automatic Login" setting enabled, which is turned on by default on all Macs. The setting means the password is resident in the computer's memory. Since FireWire uses Direct Memory Access (DMA) to achieve fast connection speeds, anyone connected to the system through the port has full access to the computer's memory range, Passware said. By design, FireWire allows any device to read and write to any other connected device.

The passwords can be obtained even if the user installed FileVault encryption or selected a complex and strong password. The security flaw is present in Mac OS 10.6 "Snow Leopard" and in 10.7 "Lion," according to Passware.

Passware released Passware Kit Forensic v11 to capture computer memory over FireWire and extract all log-in passwords stored there within minutes. The $995 package can even extract the passwords stored on the Mac's keychain.

The technique is not new. Passware itself decrypted hard disks encrypted with Microsoft's BitLocker and TrueCrypt with the same process.

Users concerned about the threat turn off Macs when they are not being used, instead of locking them or putting them into sleep mode, according to Passware. The other option is ot disable FireWire entirely, Sumin told eWEEK.

There are limitations to computer security, Sumin said. "If data stored is confidential, it is important to ensure physical security of the computer," he said, adding that sensitive data should be encrypted.

Users should also change the default setting on the Macs to not automatically log in when the computer starts, recommended Mac antivirus company Intego, which provided detailed instructions on its blog. "Think about making this change to protect your data from easily being grabbed by anyone who finds or steals your Mac," Intego wrote.

However, Sumin pointed out that even with "Automatic Login" turned off, when the user logs in, the password gets stored in the machine's memory. The password can still be stolen even if the computer requires users to login each time, Sumin said.

Passware is not the only one releasing software to get past Mac defenses. Moxie Marlinspike posted on July 25 an update to the sslsniff tool. Sslsniff allows users to easily perform man-in-the-middle attacks against SSL/TLS connections and now can be used to snoop on secure communications from unpatched Apple devices.

If left unpatched, the SSL issue fixed by Apple in the latest iOS update would allow attackers to capture traffic from the vulnerable iPhone, iPad or iPod Touch, according to Chester Wisniewski, senior security adviser at Sophos. On the same day, Moscow-based Elcomsoft also released an updated "all-in-one" forensic toolkit for extracting encrypted data stored on iOS devices.