Mac FileVault passwords stored in clear text

Powered by SC Magazine

Flawed update contained debug logs that trap passwords.

Passwords for Apple Mac FileVault are being stored in the clear due to a borked OS X security update issued in February.

The security hole affected OS X Lion users under specific conditions and could allow passwords for the local encryption software to be harvested.

It occurred because the update 10.7.3 contained an accessible debugging facility that appeared to have been accidentally left open. The logs would detail clear text FileVault passwords for every user who logged in since the update was applied.

An attacker could bypass the OS X log-in screen and access the passwords by “booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file”, security researcher David Emery said.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery discovered the flaw and disclosed details on the Cryptome mailing list.

“... Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,” he said.

Apple has not responded to disclosure of the flaw.

Passwords were also accessible through a log contained within system backups created by Apple's Time Capsule software.

Users were only affected if they had used FileVault prior to upgrading to OS X Lion and applying the bad software update.

Emery said users could protect themselves from the firewire disk and recovery partition attacks by using the FileVault 2 whole disk encryption software. Users should also set a firmware password which would be required on boot.

Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.

“Carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open,” Emery said.

Copyright © SC Magazine, Australia

Mac FileVault passwords stored in clear text
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
Sign up to receive iTnews email bulletins
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results