Page 1 of 1
Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 8:29 am
by HappyIdiot
9to5mac wrote:FileVault has been included in Macs by Apple since the release of Panther many years ago. In Apple’s most recent release, OS X Lion, they included FileVault 2 which brought new ways of encryption. FileVault lets you encrypt your entire drive with a master password to protect key-chain passwords, files, and more. FileVault 2 uses a separate partition to store the FileVault log-in information.
Cnet points us to a new report from password recovery company Passware, who claims they can decrypt Apple’s FileVault 2 in under 40 minutes. Obviously, this is a big concern because FileVault contains so much of user’s information.
PassWare decrypts FileVault by going in through the system’s firewire connection and using live-memory analysis to extract the encryption key from the FileVault partition (so the machine must assumably be running?). From there you can uncover keychain files and log-in passwords which can be used to unlock the whole HDD/SSD.
PassWare conveniently makes PassWare 11.3 available to do this, but you’ll have to throw down a lofty $995 to get the software. PassWare makes this software primarily available for law enforcement.
9to5mac
DMA seems to cause more problems than it is worth to me. I'm waiting for SEDs to come down in price.
Re: Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 8:41 am
by drwrx
Wait, it uses the FireWire connection?
So the PassWare user has to have access to the machine, a functioning FireWire port and 30 minutes or so.
I guess I'm not that fearful.
A number of years ago there was a utility available that could deactive the FireWire port on Macs.
The reason for this was to be able to boot the Mac using a boot disc from the USB port which previously was only possible from the FireWire port. I knew a few folks who ran it.
Re: Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 8:59 am
by HappyIdiot
Yeah, you have to have physical access to the machine, you are pulling the keys from the RAM. While having physical access is usually game over, DMA just makes it that much easier.
Re: Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 11:23 am
by complacent
the long pole in the tent here is the live memory access. the attack doesn't work if the machine has been shut down. it also won't work if a machine is freshly rebooted, iirc.
and yea, physical access makes it game over. same is true for truecrypt volumes.
/tinfoil hat
Re: Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 1:52 pm
by Sabre
You know what honestly scares me more than this?
It might not matter. Basically, the US court system has said that any data residing on a computer that has been subject to a warrant should be fully open. All passwords must be given, including encrypted drives and other data that is encrypted.
Interesting "hack" by Passware though. Since law enforcement doesn't need it, I guess this is for private industry or nosy girl/boyfriends.
Boy, they sure are going to get a lot of pr0n when they ask for mine...
Re: Passware can brute force Filevault in 40 minutes
Posted: Thu Feb 02, 2012 11:01 pm
by Raven
Sabre wrote:You know what honestly scares me more than this?
It might not matter. Basically, the US court system has said that any data residing on a computer that has been subject to a warrant should be fully open. All passwords must be given, including encrypted drives and other data that is encrypted.
Interesting "hack" by Passware though. Since law enforcement doesn't need it, I guess this is for private industry or nosy girl/boyfriends.
Boy, they sure are going to get a lot of pr0n when they ask for mine...
So if I have to hand over my encryption passwords if the feds come knocking, why would I ever encrypt anything?
Re: Passware can brute force Filevault in 40 minutes
Posted: Fri Feb 03, 2012 8:09 am
by HappyIdiot
Raven wrote:
So if I have to hand over my encryption passwords if the feds come knocking, why would I ever encrypt anything?
Because you'll thank yourself if your laptop is lost or stolen, and if the Feds are knocking on your door, you are already screwed, encryption or not.
drwrx wrote:A number of years ago there was a utility available that could deactive the FireWire port on Macs.
I came across this method yesterday.
bitstopr wrote:
One way to disable the Firewire is to disable the kernel extensions (kernel extension. Kext) on Mac OS X, so Mac OS X cannot access the hardware Firewire.
Open the Terminal.app application.
As a precaution, we make a backup directory. In Terminal.app type:
sudo mkdir /System/Library/Backup.Extensions/
Move the extensions associated with the Firewire to backup directory. In Terminal.app type:
sudo mv /System/Library/Extensions/IOFireWire* /System/Library/Backup.Extensions/
Done. Please restart the Mac to see the results.
Well, if you want to restore to the condition of all. Simply return the extensions from the backup. In Terminal.app type:
sudo mv /System/Library/Backup.Extensions/IOFireWire* /System/Library/Extensions/
Bitstopr
Re: Passware can brute force Filevault in 40 minutes
Posted: Fri Feb 03, 2012 10:07 am
by Sabre
HappyIdiot wrote:Raven wrote:
So if I have to hand over my encryption passwords if the feds come knocking, why would I ever encrypt anything?
Because you'll thank yourself if your laptop is lost or stolen, and if the Feds are knocking on your door, you are already screwed, encryption or not.
