Mac FileVault passwords stored in clear text

By on
Mac FileVault passwords stored in clear text

Flawed update contained debug logs that trap passwords.

Passwords for Apple Mac FileVault are being stored in the clear due to a borked OS X security update issued in February.

The security hole affected OS X Lion users under specific conditions and could allow passwords for the local encryption software to be harvested.

It occurred because the update 10.7.3 contained an accessible debugging facility that appeared to have been accidentally left open. The logs would detail clear text FileVault passwords for every user who logged in since the update was applied.

An attacker could bypass the OS X log-in screen and access the passwords by “booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file”, security researcher David Emery said.

“This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Emery discovered the flaw and disclosed details on the Cryptome mailing list.

“... Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,” he said.

Apple has not responded to disclosure of the flaw.

Passwords were also accessible through a log contained within system backups created by Apple's Time Capsule software.

Users were only affected if they had used FileVault prior to upgrading to OS X Lion and applying the bad software update.

Emery said users could protect themselves from the firewire disk and recovery partition attacks by using the FileVault 2 whole disk encryption software. Users should also set a firmware password which would be required on boot.

Users who either upgrade to FileVault 2 or disable the legacy software should change their passwords to render invalid the passwords recorded in the logs.

“Carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open,” Emery said.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?