Mac FileVault passwords stored in clear text

Powered by SC Magazine
 

Flawed update contained debug logs that trap passwords.

Passwords for Apple Mac FileVault are being stored in the clear due to a borked OS X security update issued in February.

The security hole affected OS X Lion users under specific conditions and could allow passwords for the local encryption software to be harvested.

It occurred because the update 10.7.3 contained an accessible debugging facility that appeared to have been accidentally left open. The logs would detail clear text FileVault passwords for every user who logged in since the update was applied.

An attacker could bypass the OS X log-in screen and access the passwords by “booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file”, security researcher David Emery said.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery discovered the flaw and disclosed details on the Cryptome mailing list.

“... Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,” he said.

Apple has not responded to disclosure of the flaw.

Passwords were also accessible through a log contained within system backups created by Apple's Time Capsule software.

Users were only affected if they had used FileVault prior to upgrading to OS X Lion and applying the bad software update.

Emery said users could protect themselves from the firewire disk and recovery partition attacks by using the FileVault 2 whole disk encryption software. Users should also set a firmware password which would be required on boot.

Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.

“Carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open,” Emery said.

Copyright © SC Magazine, Australia


Mac FileVault passwords stored in clear text
 
 
 
Top Stories
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
Will Nutanix be outflanked before reaching IPO?
VMware muscles in on storage startup in hyper-converged infrastructure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 650

Vote