Apple Quietly Fixed A Major FileVault 2 Vulnerability

If you have a Mac, I recommend that you use Apple’s FileVault 2 encryption because if your Mac gets stolen, your data is protected with XTS-AES-128 encryption with a 256-bit key. Meaning the bad guys won’t get anything.

Apparently that wasn’t quite true.

Ulf Frisk who a security researcher based in Sweden found that he could plug a device running software called PCILeech into a Mac and obtain the FileVault 2 encryption password using a direct memory access (DMA) attack during the reboot process.What this means is that he didn’t crack the encryption per-se. What he did was leverage flaws in the way Apple had implemented the Extensible Firmware Interface or EFI during the early stages of the boot process. Apple’s implementation was designed to allow devices connected by Thunderbolt 2 to read and write memory in the Mac before the operating system booted.

Now think about how this could be leveraged in the real world. You go to a foreign country on vacation and customs wants to browse the contents of your MacBook. You say no. You’re arrested and the customs officer takes your MacBook and plugs in one of these devices. In under 30 seconds he has the means to start strolling through the contents of your MacBook.

Scary.

The good news is that Apple corrected this in the latest macOS Sierra 10.12.2 update that came out earlier this week according to Frisk who reported this to Apple back in the summer. Likely by updating the EFI firmware. I say that because not only is that the only way to fix this, but the firmware version of both MacBook Pros in my house changed after this update (I keep track of obscure stuff like this because if an update breaks something, I want to ensure I have as much information as possible to troubleshoot it. I admit that the average person isn’t as OCD as I am and would likely never notice this). But strangely, the versions that they now have aren’t listed on this list of firmware versions provided by Apple. It hasn’t been updated in some time, so it is entirely possible that Apple no longer maintains this list. But the side effect of that is that it isn’t clear if every Mac that runs macOS Sierra got a EFI firmware update or not. But what’s really weird is that this isn’t mentioned in the security release notes that came out this week with these updates. Why is that important? Because if it isn’t mentioned in the security release notes, it isn’t clear if this fix is in the security updates that came out for OS X El Capitan or OS X Yosemite which shipped at the same time as the update for Sierra. If not, those users would have to upgrade to Sierra to get this fix. Assuming their Mac supports Sierra of course. If not, they have a Mac that is vulnerable to this attack and there is nothing they can do to protect themselves. Bottom line is that because of the lack of info on this, it gives the impression that Apple is just quietly trying to fix this. And that doesn’t help users of their products to properly protect themselves.

As far as Frisk can tell, a Mac with this update is now one of the most secure platforms with regards to this specific attack vector. Thus, this would be a good time to ensure that you’re running the latest version of the macOS. If you can.

UPDATE: A reader on OS X 10.11 just told me that the security update did an update on his firmware on his MacBook Pro as well.

Advertisements

One Response to “Apple Quietly Fixed A Major FileVault 2 Vulnerability”

  1. […] reported this exact attack scenario to the world and it was thought to have been fixed by Apple in the macOS 10.12.3 update from a few months ago. But perhaps not as we have a mention of it here in the 10.12.4 update that […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: