

Mac OS X Lion Login Passwords Extracted With Ease - privacyguru
http://www.securityweek.com/mac-os-x-lion-login-passwords-extracted-ease

======
sp332
I think the headline should be, "FireWire is insecure and can be used to dump
the contents of your RAM." But that's always been true, regardless of OS.

Edit: the WinLockPwn tool has been available since 2008, you can just plug one
computer into another and dump the RAM. You can then use "signatures" to
search for passwords for various systems, including Windows.
[http://web.archive.org/web/20090402130220/http://storm.net.n...](http://web.archive.org/web/20090402130220/http://storm.net.nz/projects/16)

I like this part:

 _I'm also pleased to note... the guy who did it by plugging a Cardbus
Firewire card into a laptop that didn't have firewire, waiting for it to auto
install it (while at the locked screen!) then winlockpwning it. That's
awesome. :)_

So, even if your laptop doesn't _currently_ have firewire, you're still not
safe.

~~~
shapoopy
A Debian Developer has a good set of articles[1] on this vulnerability. It's
really a pretty astonishing aspect of FireWire.

Time to whip out the epoxy, I reckon.

[1]: [http://www.hermann-uwe.de/blog/physical-memory-attacks-
via-f...](http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-
dma-part-1-overview-and-mitigation)

~~~
masklinn
> It's really a pretty astonishing aspect of FireWire.

Not really. Note that LightPeak/Thunderbolt has the exact same issue. I
believe it can be mitigated by the right IOMMU implementation (if the OS takes
advantage of the feature).

------
DrJokepu
I'm no security expert but it was always my understanding is that once an
attacker has physical access to a computer it can no longer be considered
secure, no matter what. Also, my understanding is that this is a widely
accepted fact in the security community. How can a website called "Security
Week" ignore this very relevant piece of knowledge then?

~~~
kevin_morrill
If this is reported correctly, it sounds like passwords are stored in memory
for quite a while in their unhashed, clear text form. This is not good for
people that depend on FileVault as a way to assume that physical access
doesn't necessarily compromise their data.

It's a little hard to believe this as there's really no need to have the
password kept in memory; it could be the exploit requires the device to be
plugged in while you're typing your password--which is more believable and
also less interesting.

~~~
sp332
If you have the autologin feature enabled, which would you prefer: keep the
password in RAM, where most people can't get it, or put it on the hard drive,
which is a much easier target?

~~~
ovi256
But why would the autologin implementation need access to the cleartext
password ? And then why is the cleartext password stored at all ?

These seems like big holes.

~~~
epochwolf
On OSX, probably to unlock keychain.

~~~
Sidnicious
Yep: <http://www.brock-family.org/gavin/perl/kcpassword.html>

------
masnick
Is there any way to get around this? If so, is it implemented in any OS?

I'm no encryption expert, but it seems like you would need to store decryption
keys (or in this case, the login password) in plaintext so they could be used
by the OS.

An explanation from an expert would be appreciated.

~~~
ConstantineXVI
Given that FireWire gives you direct, unsecured access to memory, the most
secure solution would be to fill your FireWire port (as well as any other
interface that has direct memory access, such as ExpressCard or Thunderbolt)
with glue or otherwise render it unusable.

~~~
masklinn
> Given that FireWire gives you direct, unsecured access to memory

FireWire asks for it, but in recent years CPUs have started implementing
IOMMUs, which should be useable to "lie" to devices and sandbox DMA'd memory,
preventing full memory access to even low level busses (such as FireWire or
Thunderbolt)

------
llambda
"Passware says the security risk is easy to overcome by simply turning off the
computer instead of putting it to sleep, and disabling the "Automatic Login"
setting. This way, passwords will not be present in memory and cannot be
recovered."

Hm, isn't automatic login now disabled by default in the installation process
of Lion? The last install I did seemed to have it disabled by default although
there was a toggle to switch it on if I so chose.

------
doctoboggan
The article also mentions that truecrypt passphrases can be recovered this
way. Is this true? This would seem like a very major security oversight for
software whose main focus is security.

------
mmuro
It seems an easier solution is to just log off your account rather than shut
the entire computer down. Unless it can be accessed from the login screen...

~~~
ConstantineXVI
It's possible to inject code into RAM via this method as well as read it,
bypassing said login screen. With FileVault, once you unlock the disk, it
remains so until you shut down. Shutting down prevents an attacker from having
access to unencrypted data via this attack.

------
hackermom
Hands up if you use Automatic Login on your personal computer, whatever OS you
might be using. Also, this hack requires physical access to the computer, and
by that time no computer, no operating system, can be considered safe.

