Mac OS X Lion Password Vulnerability: Sleep Mode

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/security/vulnerabilities/231002943

By Mathew J. Schwartz
InformationWeek
July 29, 2011

Updated forensic software can steal Apple OS X login passwords in 
minutes, even when the devices are locked or asleep.

To be successful, however, users of the software, Passware Kit Forensic 
v11, must have physical access to the target Mac device, as well as a 
FireWire cable connection. At that point, the software can capture the 
password data from the Mac's memory, even on the latest version of 
Apple's operating system, Mac OS X Lion.

According to Passware, its $995 software kit only takes a few minutes to 
work. It also functions regardless of password strength, and even if 
FileVault encryption has been activated. Passware previously implemented 
the same technique to decrypt Windows hard disks encrypted with 
BitLocker and TrueCrypt, with software running on a USB key that is 
plugged into the target machine.

Interestingly, the "potential vulnerability"--as Passware described 
it--in Apple OS X that enables password extraction is in many ways also 
a documented FireWire feature. "One of the design features of FireWire, 
and part of what makes it attractive for professional use, is that it 
allows for [direct memory access], a technology used in modern computers 
which allows peripherals to bypass the CPU and directly read from and 
write to memory," said Aryeh Goretsky, a distinguished researcher at 
ESET, in a blog post. "Because the processor does not have to manage the 
data transfer, higher data rates, and lower CPU utilization can be 
ensured, while leaving the CPU available to perform other functions."

[...]


___________________________________________________________
Attend Black Hat USA 2011, hosted at Caesars Palace in
Las Vegas, Nevada July 30-Aug 4, offering over 60 training
sessions and 9 tracks of Briefings from security industry elite.
To sign up visit: http://www.blackhat.com