Security glitch exposes OS X account passwords
Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account.
The vulnerability arises out of a programming error that stores the account password in the computer's memory long after it's needed, meaning it can be retrieved and used to log into the computer and impersonate the user.
"This is a real problem and it needs to be fixed," said Jacob Appelbaum, a San Francisco-area programmer who discovered the vulnerability and reported it to Apple. He said he disagreed with the company's response: "They won't put it in the latest security update or release a security update just for this issue."
Appelbaum is one of the team of researchers who published a "cold boot" paper last week describing unrelated vulnerabilities in encrypted filesystems, including Apple's FileVault, Windows Vista's BitLocker, and a number of open-source ones.
Unlike the security concerns reported last week, this vulnerability is specific to OS X. It's also more sweeping because it offers--at least in OS X's default configuration--full access to passwords stored in the Keychain, which can include passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, and so on.
Apple spokesman Anuj Nayar told me: "We're aware of this locally exploitable vulnerability, and we're working to fix it in an upcoming software update. While no operating system can be 100 percent immune, Apple has a great track record of addressing potential vulnerabilities before they can affect users."
The security glitch works like this: The OS X subsystem that asks for a username and password to log into an account is, reasonably enough, called loginwindow.app. In the default configuration, the account password unlocks the user's keychain and the encrypted FileVault volume (if one is in use).
But instead of immediately erasing the password from memory once the unlocking process is complete, OS X keeps it around. That means someone with physical access to the computer can use multiple methods to extract the contents of the computer's DRAM chips.
Last week's paper described some of those techniques. They include: plugging an iPod into a Firewire port to extract the contents of memory, rebooting the computer and running a memory-extractor over the network or from removable media, or physically ripping out the DRAM chips and inserting them into another computer. (Setting a firmware password can guard against the rebooting-attack threat.)
Turning off your computer and waiting a minute or more protects you from this attack by giving the contents of DRAM time to decay.
Although it's possible that the password stays in RAM even after the user logs out--which would be even more dangerous--Appelbaum hasn't tested that theory.
Trust, but verify
I invited Appelbaum over to News.com headquarters in downtown San Francisco and asked him to demonstrate the vulnerability on my laptop. He showed up with Seth Schoen of the Electronic Frontier Foundation and William Paul, who also worked on last week's paper.
I gave them an Intel-based MacBook with a password-protected account called "Breakme." FileVault was turned on, encrypted swap was activated, and the computer was locked through the screen saver. There was a file on the Desktop called "canyoureadthis"--if they could read its contents, I figured, they proved their attack worked.
What they did first, as you can see in the photographs below, was run an Ethernet cable from the MacBook to one of their laptops. Their next step was to convince the MacBook to run an "EFI memory scraper" program (written by Paul) found over the network through Apple's NetBoot service by holding down N while rebooting. That extracted the contents of the MacBook's memory to a 1.25 GB file. Then they scanned through it for likely passphrases.
It took them a few minutes, but they found the passphrase, "impressive"--as in, if they could find it, the attack was impressive. Once they had the password, they could easily log into the account and read the secret file on the desktop, which contained a relevant quotation from Thomas Jefferson. (They're planning to release the EFI memory scraper and other utilities some time in the next few months, so other people will be able to do this, too.)
Appelbaum reported the problem to Apple on February 5, but Apple didn't fix it in the security update released on February 11. "They should be concerned because it means that things that require password authentication do query this information," he said.
Because Apple wouldn't divulge details, it's a little unclear exactly what happened. But because loginwindow.app dates back to NeXTSTEP in the late 1980s, when nobody was even thinking about this kind of attack, it's possible that the origin of some of the code in use is older than some News.com readers who are reading this article today.*
Rebooting the target MacBook in a studio at CNET on Second Street in San Francisco. From left to right: Paul, Schoen, Appelbaum, and yours truly. We had planned on making a video, which is why we were using the fifth-floor studio, but the plan was nixed by a problem with the output from the camera you can see to the right. These are still images taken from the video.
(Credit: CNET)
Paul is skimming through the contents of the extracted memory--dumped from the Macintosh to his laptop--for possible passwords.
(Credit: CNET)
Eureka! There it is. The account name is 'Breakme' and the password I gave it is 'impressive.'
(Credit: CNET)
With the password, it was easy enough to log into the 'Breakme' account and read the secret file on the Desktop. These are the contents of it.
(Credit: CNET)* Full disclosure: I worked at NeXT Computer during that time. Yes, that probably makes me old.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
--St-Valentines-Day-Massac.html){kind=small}
It's shocking how many people refuse to install updates.
This issue for example is described as a 'glitch', a term commonly used to describe very minor issues. This issue however is quite severe as it leaves passwords in user accessible memory with no attempt to obfuscate them. Go pick up any security book and chapter one tells you not to do this.
Had this been found in Windows, the title surely would have been: "Critical security flaw in Windows exposes account passwords"
It would be nice to read unbiased news every once in awhile.
"cold boot" paper last week describing unrelated vulnerabilities in
encrypted filesystems, including Apple's FileVault, Windows Vista's
BitLocker, and a number of open-source ones."
Didn't anyone catch that Windows was mentioned? And it wasn't
singled out over the Mac. Windows/Apple fanboys need to chill out
and just focus on security.
Any OS is equally vulnerable when physical access is involved, and I think you'd notice someone trying to compromise your machine by that manner.
/P
If you had turned off your Macbook first then done a cold boot, would the exploit still work? Probably not.
"Turning off your computer and waiting a minute or more protects you from this attack by giving the contents of DRAM time to decay."
And in terms of physical security, there are different levels of vulnerability. If you use FileVault and the computer is locked with its screen saver turned on, you probably don't expect the account password to be accessible.
So if you're using either of those tools, assuming that the attacker has physical access is a valid assumption. i.e., if this is the line of defence separating the attacker from your data, the attacker already has your machine!
attack threat.)"
Actually, setting a firmware password will also mitigate the iPod
attack.
My computer will ONLY boot from the internal hard drive without a
password; then requires a password to log in. It won't boot into
Target Disc Mode or from the OS install DVD without a password.
btw, is your name really Andy Kaufman? I laugh just thinking about
him.
With the risk level to the attacker now fully assessed (damned high), I doubt we'll see anyone attempting it on a criminal level any time soon.
/P
supervision, I expect that my computer can be hacked. If not in
this method, than in myriad other ways. It's a no brainer.
The only way to prevent this is to disable your internal HD, use
an external for everything, and take it with you no matter what,
in essence making the computer a dumb machine. Of course,
then someone can steal your HD and plug it in, clone it and
crack it at their leisure.
The moral? Don't let people have access to your computer
without supervision. :)
leave you alone with it. You have to find another way. But it's on
the internet, right now, and with enough work, you can probably
find out what IP address I'm writing from. So have at it!
Hey, now it's not so easy... ;)
sweat much until a patch is released :)
to extract them from NT4.
I'm sure the situation has improved but why take the chance?
Translation: "a great track record of being such a small platform that very few people care about cracking us. That's why at Apple we're focusing on selling lots of iPods, and not lots of computers, because we wouldn't know how to live in that world."
I don't envy MS the challenges they must have dealing with
security on their platform. But Apple is selling more computers
than ever, and it's clear to everyone that one of the big
advantages is that they have done an very good job of keeping
up with security issues. If the Mac is more secure in part
because it's less ubiquitous, it's stil more secure, and that's a
good thing. It doesn't mean Apple can't compete. I don't work
for them or own stock or anything and I don't think Steve Jobs
walks on water. Just so you know.
easier way to break the password encryption.........Instead of doing
all this stupid stuff freezing RAM, all you have to do is pop an OS
DVD in the drive, boot up from it and change the password there.
Who needs all this crap....
can be used to reset an admin account password. This gives a
nefarious user admin access to the machine. But if there is an
account on the machine, admin or no, using File Vault, then
FileVault has encrypted the date using the login password.
The admin user can reset the login password for any account on
the Mac, but he can't recover any existing ones. Thus there is no
way to recover FileVault data using the boot-DVD.
Once a user has physical access to your machine (like to rip out
DRAM), then unless you are using FileVault or some other form
of file encryption, all bets are off in terms of data security. For
example, the nasty person could plug in a FireWire cable and
start your Mac up in Target-Disk mode, which would let them
clone the whole darn thing if they wanted to.
On an almost marginally related note, I believe Apple should
ship the computers with two accounts by default, one for user
work and one for admin/maintenance.
And Apple makes no secret about this.
If you own the original system install DVD, you own the computer!
Windows 2000 to XP (haven't tested on Vista)
- CD Rom that boots into a linux kernel that allows me to reset the administrator password.
Novell NetWare 4.x & Greater
- Program that I can run from the console which builds a new user at the root of the tree
Linux
- Boot into Single User Mode and reset password
As many have said. If you have physical access to the box you can do just about anything under the sun.
dw9
admin for day to day stuff.......so if they can only get the passwords
from the active profile then who cares?
If you can get your hands on a computer that's logged
on.....wouldn't you have access to everything anyway?
It is an admitted potential break-in point, but honestly, it's pretty convoluted and low priority at best.
After all, If I have to reboot a machine to get the contents, I could just as easily use a live CD to modify the Windows SAM account file and get whatever I want out of that... which has been the case ever since Windows NT came out.
Point is, anyone with physical access to any machine will have the contents of it.
/P
Seriously, the removal of the DRAM chips is extremely sketchy
because it would require the DRAM chips to almost immediate
be placed, in correct order, into a container providing power,
and access.
Downloading the DRAM memory ... I think this tactic pretty
much will work with most computer systems. Not downplaying
the resourcefulness, and usefulness of this tactic, but
opportunity is a HUGE issue.
Bottom line. If someone went to resorting to these tactics, all
they need is a spy-camera to watch you type in your password.
This "security" issue alarm is a little far-fetched for 99% of the
people using their systems. This story illustrates alarmism
inching into the under-cover agent realm. In which case, there
is almost no security, if you are a target.
I still enjoy OS X the best, my machine can take 16GB of ram, the older G5 powermac and I have 4.5 installed and it creams!!!! leaves everything in dust and it's based on the older PowerPC processor the 2GB dual CPU model.
I can edit video, sounds and many other apps in real time, flawlessly, no waiting for stuff to happen or catch up. I have a PC at home too, I keep it for work, that has 4GM of RAM and it still sucks! It still crashes, it still freeses, SO take that to the bank.
example of story with limited legs. At least on this point. The
"glitch" describes a physical assault in which the "hacker" already
has you computer, a computer that is turned on, and logged on.
Too late. Nothing is going to protect you from that.
the machine - this couldnt happen on fast user switch.
2) There is no way loginwindow stores memory on logout
because it relaunches,
3) loginwindow does not enter the password no more - the
application which does that is SecurityAgent.app
4) autologin is probably turned on. that is the only reason the
loginwindow would need the password - which is stored on
disk. the best way to "break" into this machine is to reboot.
Apple clearly says that autologin is nonsecure.
if logged out there is no store of memory.
with physical access any machine can be broken into. without
the firmware password there are much easier ways of getting
into OS X than this nonsense. Muppets.
uGd&45nmn7S2 is just as easy to nab from memory.
- Security improvment for Windows PCs and Macs.
- by ralfthedog February 28, 2008 3:23 PM PST
- I would love to see a firmware update that writes 0s to your ram on boot. (That is ram, not hard drive)
- Like this Reply to this comment
-
-
- RE
- by unknown unknown February 29, 2008 2:53 PM PST
- One of easiest solutions seems to be to have programs and OS's just over write the memory used to store passwords and encryption keys when they're not need anymore.
- Like this
-
- True
- by DrtyDogg March 1, 2008 10:03 PM PST
- It should be implemented
- Like this
-
Showing 1 of 2 pages (88 Comments)The other problem is preventing keys from being paged into virtual memory.