Apple’s latest security update to OS X Lion, 10.7.3, was shipped with the debugging switch left on, leaving passwords open in plain text in a folder that had previously been encrypted with the first version of the company’s FileVault encryption.
David I. Emery, owner of DIE Consulting, disclosed the flaw on the Cryptome encryption mailing list on Saturday, 5 May.
Apple released the buggy update in February.
Emery reports that the debug switch (DEBUGLOG) seems to have been left on inadvertently. The security hole causes log-in passwords for the encrypted home directory tree (legacy FileVault) to be left readable, in a systemwide log file, by any user with root or administrative access.
What makes this one so bad is that the log, and thus encrypted partitions, can be read by intruders who don’t have a log-in password. It’s done by booting the machine into FireWire disk mode, which allows the log and partitions to be read by opening the drive as a disk or by booting the recovery partition that was introduced in Lion.
An intruder then uses the available super-user shell to mount the main file system partition, Emery says.
Emery theorised that Apple’s Time Capsule backup tool may have backups encrypted with the password available in plain text.
“For those who use Apple’s easy backup tools (‘Time Capsule’), it was possible to assume that those tools only wrote copies of the sparsebundle encrypted container for a FileVault legacy home directory to the backup media, meaning that an unencrypted backup would still provide protection for the contained encrypted home directories,” Emery wrote. “But with the password required to decrypt the sparebundles stored in the clear on the (unencrypted) backup, that assumption is no longer true.”
Emery said that users can partially protect themselves from attack by using FileVault 2, which offers whole-disk encryption. Such encryption requires that users know at least one user log-in password before they are given access to files on the disk’s main partition.
Further, weaker protection can be had by setting a firmware password, which would be required before a user can boot the recovery partition or external media or enter FireWire disk mode, he says. However, there’s a technique to turn this off, known to Apple field support.
Chester Wisniewski, a senior security advisor for Sophos, wrote that this security snafu proves an important point about encryption: Secure algorithms are important, but that’s “rarely the most important factor”.
“How products store, manage and secure keys and passwords is the most common failure point in assuring data protection,” Wisniewski wrote in Sophos’ Naked Security blog. “This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES [Advanced Encryption Standard] encryption doesn’t mean anything if it chooses to store your password in an accessible log file.”
Of course, the possibility that the plain-text password has been backed up means that it’s going to be tough to ensure that both it and the original plain-text password are securely erased, he said, even after the fix comes out.
Thus, Wisniewski advises Mac users to consider changing passwords, and then to refrain from using those passwords on any other systems, even after applying the patch.
How well do you know your operating systems? Take our quiz.
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…