Mac FileVault passwords stored in clear text

Powered by SC Magazine
 

Flawed update contained debug logs that trap passwords.

Passwords for Apple Mac FileVault are being stored in the clear due to a borked OS X security update issued in February.

The security hole affected OS X Lion users under specific conditions and could allow passwords for the local encryption software to be harvested.

It occurred because the update 10.7.3 contained an accessible debugging facility that appeared to have been accidentally left open. The logs would detail clear text FileVault passwords for every user who logged in since the update was applied.

An attacker could bypass the OS X log-in screen and access the passwords by “booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file”, security researcher David Emery said.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery discovered the flaw and disclosed details on the Cryptome mailing list.

“... Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,” he said.

Apple has not responded to disclosure of the flaw.

Passwords were also accessible through a log contained within system backups created by Apple's Time Capsule software.

Users were only affected if they had used FileVault prior to upgrading to OS X Lion and applying the bad software update.

Emery said users could protect themselves from the firewire disk and recovery partition attacks by using the FileVault 2 whole disk encryption software. Users should also set a firmware password which would be required on boot.

Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.

“Carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open,” Emery said.

Copyright © SC Magazine, Australia


Mac FileVault passwords stored in clear text
 
 
 
Top Stories
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
Photos: A tour of CommBank's new innovation lab
Oculus Rift, Kinect and more.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  12%
 
Software development
  27%
TOTAL VOTES: 225

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  63%
 
No
  37%
TOTAL VOTES: 67

Vote