The common perception that Macs are much safer than Windows PCs holds true on several counts if we compare the two ecosystems one-on-one. But, that doesn’t mean that Apple devices do not come up with their own share of security vulnerabilities. One such vulnerability was recently demonstrated by a Swedish security researcher who seized full control of a Mac as it sat idly in the Sleep mode.
The security researcher who goes by the name ULF Frisk showed off a new device that can steal passwords from virtually any Mac that’s locked or sleeping. He explained that the device can be built from scratch by spending approximately $300 and it can be connected to a Mac via the Thunderbolt port. While the method has not yet been tested on Macs with USB Type-C, odds are high it will work because the loophole resides in FileVault2.
Illustrating further, Frisk states that the vulnerability essentially exposes the Mac to Direct Memory Access (DMA) exploits as it enables Thunderbolt devices to read and write memory. And even when the system is locked, the password to the encrypted disk is stored in plain text in memory. Moreover, when the reboots the system, the password remains available initially before being overwritten by new content. That’s precisely how Frisk’s device manages to steal the password without leaving behind any obvious traces.
To hack a Mac using this method would require physical access to the target computer. However, the whole process can be done with in less than half-a-minute.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!” Frisk explains.
You can find further details about the loophole on Frisk’s official blog: http://blog.frizk.net/2016/12/filevault-password-retrieval.html?m=1