Swedish researcher and pentester Ulf frisk created a device with which you can bypass the FileVault 2 encryption on Mac computers. The expert told in detail the principle of operation of the device, which, in his words, will need just $ 300.
In the summer of 2016 frisk has discovered two vulnerabilities in the implementation of FileVault2 used by Apple. These security flaws allow an attacker to obtain the victim’s password (in plain text), and removing it even with a blocked Mac, or are in sleep mode. The attack itself is very simple: just need to add custom Thunderbolt device to a Mac, to forcibly restart the computer Ctrl + Cmd + Power and wait for the retrieve password, which takes about 30 seconds.
The problem, according to Hacker, is divided into two parts. First, Apple devices are not protected against attacks such as Direct Memory Access (DMA). Yet macOS still does not start, EFI allows connection of a malicious Thunderbolt devices and allows them to read memory and write to it. Once macOS starts, protection from DMA is enabled by default. Second, the FileVault password is stored in memory in plain text. Worse, he is not cleaned out after the drive has been unlocked. Password in-memory changes location, but within a fixed range.
As a result, the researcher implemented the DMA attack: once the device reboots, protection from DMA stops working, and then, before memory contents can be reached without much trouble.
Written to attack soft frisk had already published on GitHub. There you can find detailed instructions for creating a malicious Thunderbolt device and its firmware. Vulnerability definitely susceptible to Apple laptops equipped with Thunderbolt 2 on newer models with USB ports-C tests were not conducted.
The researcher contacted the developers of Apple in August 2016, but the creation of the patch, the company took several months. The fix was submitted on 13 December 2016, consisting macOS 10.12.2.