Sleeping Macs Leak Passwords Through FireWire

Researchers using a FireWire device managed to obtain passwords saved on a Lion-based Mac in sleep mode

It is possible to recover user passwords from Mac systems that were set on Sleep Mode, including running the latest version of Mac OS X Lion, a password recovery software vendor said.

Passware researchers were able to recover passwords by connecting to the Mac through the FireWire port, the company said. All that the trick requires is a Mac that has been locked, put into sleep mode or have FileVault disk encryption turned on, Passware said.

“Long touted as a stable and secure operating system, Mac users are cautioned that the newest operating system has a potential vulnerability that enables password extraction from devices running Mac OS Lion,” said Dmitry Sumin, president of Passware.

Default Settings Leave Password In Memory

The company said it was able to obtain passwords on Macs that were in sleep mode as opposed to being powered off. The targeted Macs also had the “Automatic Login” setting enabled, which is turned on by default on all Macs. The setting meant the password was resident in the computer’s memory.

Since FireWire uses Direct Memory Access (DMA) to achieve fast connection speeds, anyone connected to the system through the port has full access to the computer’s memory, Passware said. By design, FireWire allows any device to read and write to any other connected device.

The passwords can be obtained even if the user installed FileVault encryption or selected a complex and strong password. The security flaw is present in Mac OS 10.6 Snow Leopard and in 10.7 Lion, according to Passware.

Passware released Passware Kit Forensic v11 to capture computer memory over FireWire and extract all login passwords stored there within minutes. The £762.96 package can even extract the passwords stored on the Mac’s keychain.

The technique itself is not new. Passware itself decrypted hard disks encrypted with Microsoft’s BitLocker and TrueCrypt with the same process.

Users concerned about the threat can change the default setting on the Macs to not automatically login when the computer starts, recommended Mac antivirus company Intego, who provided detailed instructions on their blog. Requiring a password when unlocking or waking a Mac means the login password is never stored in the machine’s memory.

Big Turn Off For Mac Users

Turning off automatic login makes sense to protect the system from thieves, as well. “Think about making this change to protect your data from easily being grabbed by anyone who finds or steals your Mac,” Intego wrote.

Users can also turn off Macs when they are not being used, instead of locking them or putting them into sleep mode, according to Passware.

There are limitations to computer security, Sumin said. “If data stored is confidential, it is important to ensure physical security of the computer,” he said, adding that sensitive data should be encrypted.

Passware is not the only one releasing software to get past Mac defences. Moxie Marlinspike posted an update to the SSLsniff tool. SSLsniff allows users to easily perform man-in-the-middle attacks against SSL/TLS connections and now can be used to snoop on secure communications from unpatched Apple devices.

If left unpatched the SSL issue fixed by Apple in the latest iOS update would allow attackers to capture traffic from the vulnerable iPhone, iPad or iPod Touch, according to Chester Wisniewski, senior security advisor at Sophos. On the same day, Moscow-based Elcomsoft also released an updated “all-in-one” forensic toolkit for extracting encrypted data stored on iOS devices.