The recent macOS Sierra 10.12.2 update fixed a security hole that allowed a bad actor to quickly grab the password of your Mac in just a few moments, by simply plugging in a specialized $300 Thunderbolt device
Ulf Frisk, Via 9to5Mac:
Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access β unless the Mac is completely shut down. If the Mac is sleeping, it is still vulnerable.
Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
Security researcher Ulf Frisk has shared details of the vulnerability, after the company fixed the issue. Frisk had notified the company about the security hole back in August. Apple confirmed the issue, and requested Frisk not publish details about the vulnerability until they fixed it. Frisk says the hole is no longer there as of the macOS Sierra 10.12.2 update. He explained how it worked:
The first issue is that the mac does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. EFI which is running at this early stage enables Thunderbolt allowing malicious devices to read and write memory. At this stage macOS is not yet started. macOS resides on the encrypted disk β which must be unlocked before it can be started. Once macOS is started it will enable DMA protections by default.
The second issue is that the the FileVault password is stored in clear text in memory and that itβs not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations β which all seems to move around between reboots, but within a fixed memory range.
The video below shows how the whole thing worked.
