• Home
  • Apple
  • macOS
  • News
  • macOS Sierra 10.12.2 Fixes Security Hole That Allowed Thunderbolt Device to Steal Password from a Locked Mac

macOS Sierra 10.12.2 Fixes Security Hole That Allowed Thunderbolt Device to Steal Password from a Locked Mac

macOS Sierra 10.12.2 Fixes Security Hole That Allowed Thunderbolt Device to Steal Password from a Locked Mac

The recent macOS Sierra 10.12.2 update fixed a security hole that allowed a bad actor to quickly grab the password of your Mac in just a few moments, by simply plugging in a specialized $300 Thunderbolt device

macOS Sierra 10.12.2 Fixes Security Hole That Allowed Thunderbolt Device to Steal Password from a Locked Mac

Ulf Frisk, Via 9to5Mac:

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down. If the Mac is sleeping, it is still vulnerable.

Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!

Security researcher Ulf Frisk has shared details of the vulnerability, after the company fixed the issue. Frisk had notified the company about the security hole back in August. Apple confirmed the issue, and requested Frisk not publish details about the vulnerability until they fixed it. Frisk says the hole is no longer there as of the macOS Sierra 10.12.2 update. He explained how it worked:

The first issue is that the mac does not protect itself against Direct Memory Access (DMA) attacks before macOS is started. EFI which is running at this early stage enables Thunderbolt allowing malicious devices to read and write memory. At this stage macOS is not yet started. macOS resides on the encrypted disk – which must be unlocked before it can be started. Once macOS is started it will enable DMA protections by default.

The second issue is that the the FileVault password is stored in clear text in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range.

The video below shows how the whole thing worked.

  1. 360324 858230Pretty section of content. I just stumbled upon your website and in accession capital to assert that I get in fact enjoyed account your weblog posts. Any way Ill be subscribing to your feeds and even I achievement you access consistently rapidly. 704804

  2. address says:

    210777 739880Really nice post. I just stumbled upon your weblog and wanted to say that Ive truly enjoyed surfing about your blog posts. Soon after all I will be subscribing to your feed and I hope you write once again extremely soon! 51092

  3. 73704 922292Amazing! This blog looks just like my old one! Its on a completely different subject but it has pretty much the same layout and design. Excellent choice of colors! 171137

  4. 900672 218300An extremely fascinating read, I might not concur completely, but you do make some incredibly valid points. 572860

  5. Deepweb says:

    581392 329517Excellently written article, doubts all bloggers offered the identical content material since you, the internet has to be far better location. Please stay the most effective! 71846

  6. 668533 873232i could only wish that solar panels cost only several hundred dollars, i would enjoy to fill my roof with solar panels- 433045

  7. 439686 554199I like this site really considerably, Its a really nice position to read and receive info . 223522

Leave a Reply

Your email address will not be published.