Any Mac With A Firewire Port Running OS X Lion Can Be Hacked Within Minutes [Report]

Any Mac With A Firewire Port Running OS X Lion Can Be Hacked Within Minutes [Report]

OS X Lion is being hailed by many as the most secure operating system yet, not just from Apple, but in total. In particular, its FileVault encryption rewrite is being widely hailed as one of the most secure, low-overhead ways yet to keep your data safe.

But behind all the talk, there’s a huge security hole in OS X Lion that has been present at least since Snow Leopard. Any Mac with a Firewire port is vulnerable to it, and it’s so easy to exploit that any hacker with physical access to your computer can get your password within minutes.

According to Passware, Inc, a provider of password recovery and decryption tools, it is possible to extract any Mac’s administrator password using the Firewire port, even if that Mac is in sleep mode.

All it takes is the right hardware: the Passware Kit Forensic v11, which plugs into a Mac’s FireWire port and slurps down the Mac’s computer memory, then analyzes it and extracts system passwords. According to Passware, this works regardless of password strength, encryption or the use of FileVault.

The good news is that it’s an easy thing to secure your Mac, once you know about the vulnerability Just turn off the “Automatic Login” setting and shut down your computer totally instead of putting it into sleep.

Even so, this is a long-standing issue that Apple should have been aware of. A Mac’s administrator password has been recoverable from RAM since at least 2008.

What makes this extra damning is that according to Passware, this is a security vulnerability unique to OS X. Asked if all computer operating systems were vulnerable to pulling an admin password from user memory, Passware president Dmitry Sumin told us that in Windows 7, at least, this hole had been closed.

Passware has alerted Apple of the vulnerability and are waiting for a response. Let’s hope that this is a security hole that Apple can patch sooner rather than later. It’s a distressing thing when the newest OS X is less secure than Windows, even in part.

  • David C. Matthews

    Let me get this straight: someone has to *plug something into* the Firewire port in order to access the Mac’s memory?

    Okay, I can see where this might be a big concern for users in areas like offices where lots of people might have access to your Mac, but I don’t see this as a big problem for users in private homes.  Still, it is a vulnerability that needs to be fixed soon.

  • Simon Tooke

    This is old news – it’s how Firewire works.

  • tlmii

    Which is probably why Apple hasn’t fixed it. They don’t give a shit about business users.

  • Soho22

    lol yeah right, they hate money

  • Figurative

    Uhhh…. Yeah.  Sure.  That’s why Apple is hiring like crazy for business support engineers.  That’s why Apple has a dedicated section to their website… http://www.apple.com/business/  

  • Wayne_Luke

    Anytime someone has physical access to your machine, you should consider it insecure. 

  • Ryszard

    If the computer is set to Automatic Login, as it must be for this fancy “exploit” to work, what do you need this software for? The computer will login on its own and all its contents are available to whoever is in front of it. So what’s the point of going thru these extra steps? 

    The lesson here is not really that Firewire has a security weakness, but that you shouldn’t set your computer to Automatic Login if it’s physically accessible to others.

  • Brandon Paddock

    Isn’t physical access the whole point of FileVault?  (which as I understand it, is Apple’s answer to Bitlocker?)

  • David Salzberg

    Nothing is secure with physical access to the hardware.  I can crack any windows system.  Or, I can just remove the HD and install in another system.  That is why we encrypt the Hard Disk.
     

  • Matthias Wolf

    I wonder how this might be with Thunderbolt. Those devices could be prone to the same vulnerability. Since it uses PCI-Express technology it should have huge memory privileges.

  • CharliK

    If  business user has auto log in turned on, then the business has bigger issues. Smart businesses require such things be left off, that you password your screen saver and that you have an auto log out if you leave the machine for more than say 5 minutes. 

    That is if they aren’t putting the contents on a server and your machine is a dummy terminal. 

  • Clay Caviness

    This has been a huge security hole in OS X since at least 2004 (http://md.hudora.de/presentati

    It can be mitigated by enabling a firmware password – this will disable all DMA access, though, slowing access speeds.

  • Anon

    “any hacker with physical access to your computer”
    Any hacker with physical access to your computer could also:
    a) take the computer
    b) take the hard drive
    c) take the memory, but most maliciously of all
    d) install Windows and then REMOTELY access your computer. 

    And this on a Mac blog.

  • CharliK

    “it’s so easy to exploit that any hacker with physical access to your computer can get your password within minutes”

    Key phrase is physical access. So only someone that is in your home/office or grabbed  your unwatched computer when you left it on the table at Starbucks to go take a piss can use this trick. 

    Seems to me there’s a bigger issue than some firewire exploit in such cases. 

  • diesel-benz

    Who cares? If they have access to a computer for 10 minutes they have either stolen it or have legitimate use (employee).

  • Mike Rathjen

    Physical access to a computer with automatic login might be unsecure?

    AHAHAHAHAHAAAA…. no kidding.

  • SelenaCroton

    I just paid $22.87 for an iPad2-64GB and my girlfriend loves her Panasonic Lumix GF 1 Camera that we got for $38.76 there arriving tomorrow by UPS. I will never pay such expensive retail prices in stores again. Especially when I also sold a 40 inch LED TV to my boss for $675 which only cost me $62.81 to buy. Here is the website we use to get it all from, GrabPenny.com

  • Karl

    Define huge… what makes it a “huge security hole”? I have never heard of anyone getting compromised because of this. But then I don’t get out much… to me a “huge security hole” would be if say over 5% of the users have gotten compromised. So can you tell me how many people have been? 

  • SSD

    Wait…. all you have to do is turn off automatic login?   If you had that enabled, you have no physical security anyway.  Even if you have the screensaver enabled, all you’d have to do is turn the Mac off and then on again, and you’d be taken right to the user’s desktop.  That’s NO security.  How is this news, exactly?

  • Wayne_Luke

    Do you regularly let just anyone plug into your Firewire port?

  • DmitrySumin

    Even with automatic login off the software is capable of capturing your passwords. All you need is to log in at least once. That’s it.

  • Demios101

    I love that people are marginalizing this. Bottom line, it IS a security issue. Hypothetical situations are not relevant and steps should be taken to fix it.

  • Patranus

    LOL – There are linux live CDs that will give you the password of every account on a machine if you have physical access to the computer.

  • tehabe

    The same, Thunderboldt is as secure or insecure as Firewire is. Both give you full memory access. Like to know if memory encryption might help a little.

  • Robert X

    Firewire, I believe, has this problem with EVERY OS.

  • Don Pope

    You hit the nail right on the head. 

    This is like saying that if you leave the door open, someone can get in, open a window and then enter through the window.

  • L J Moloney

    ok so I am going to worry that some hacker is going to pay $995 for this program, then break into my house to steal my password because the treasures inside my computer. good luck to him 

  • HotTips!

    I guess I don’t understand the big deal here. If the computer has auto-login enabled, and you have physical access to the computer…. Why not just turn it on and start using it? Hacked within minutes? Doesn’t need hacked.. just turn it on, and you’re good.

  • SSD

    So this exploit requires direct, physical access to the system, and something connected to the FW port while the system is logged in?   Seems like a lot of extra work, when you could just grab the machine, or since it’s logged in anyway, just copy the data off onto a USB flash drive.   Doesn’t seem to be that big a threat to most users.  Maybe in shared environment.  

  • Callum Kerr

    Lol, BitLocker was Microsoft’s [feeble] answer to FileVault ;]

  • Tim

    Anyone who says OS X Lion is the most secure operating system is a complete and utter idiot.
    It may or may not be the most secure graphical, desktop OS. However, you simply can’t compare it to a frugal, command-line operating system in terms of security.
    I also detest the label of “most secure”. It’s often based on the number of security technologies in place, however that’s by no means an accurate measurement. Windows has had a lot of such technologies pumped into it, however it remains just as insecure due to poor implementations and poor programming. OpenBSD stays secure, however, due to in-depth code reviews and care.

  • Tim

    Both have security flaws.

  • Tim

    Or they could make it themselves? It’s not hard and there are free tools out there to help with such.

  • Tim

    You’re stupid. What if the logged in user has reduced privileges? This could lead to privilege escalation.

  • Mike Rathjen

    Well you’re so stupid you completely misunderstood my simple statement and ended up agreeing with me.

  • Dilbert A

    lol

  • Dilbert A

    Hypothetical? 

    The “hack” requires both having physical access the computer and having auto-login enabled?

  • Dilbert A

    snore …

    Your boring Tim.

    Your a boring troll.

  • Hoser Man

    An easy fix is to have your computer automatically shut off your ports when not in use. You can then put your puter to sleep will using a login to wake it. Safe at first.

  • DmitrySumin

    The software does not require “Automatic Login” to work.

  • DmitrySumin

    auto-login is not required.

  • DmitrySumin

    You can’t possibly copy data off a system when no user is logged in. 

  • Tom Steerforth

    With physical access, you can just pull the hard drive out.

    OMG I’M SUCH A HAXXOR

  • Tom Steerforth

    If someone has physical access to my MacBook, they are usually more interested in either selling it on a black market, or scolding me for spending too much time on Tumblr (thanks, mom).

  • Tripleddrywall

    I HAVE AN IMAC 21 INC AND CAN’T GET ACCESS TO IT BECAUSE I FORGOT FIRMWARE PASSSWORD

About the author

John BrownleeJohn Brownlee is a Contributing Editor. He has also written for Wired, Playboy, Boing Boing, Popular Mechanics, VentureBeat, and Gizmodo. He lives in Boston with his wife and two parakeets. You can follow him here on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , , , , |