SubRosaSoft's MacLockPick extracts personal info from OS X

by Darren Murph, posted Apr 30th 2007 at 2:04AM

While actually picking locks is no large task these days, cracking into one's highly encrypted information in OS X could prove problematic if the culprit had something to hide. SubRosaSoft's USB key purportedly allows "law enforcement professionals to perform live forensics on Mac OS X systems," and once the software on the included drive is ran, it automatically extracts data from the Apple Keychain and system settings to "provide the examiner fast access to the suspect's critical information with as little interaction or trace as possible." The program then compiles the details into a database and stores it back on the drive's internal memory, which can supposedly be read back on Windows, Linux, or OS X machines at base. Before the devious ones in the crowd get too excited, though, we should probably warn you that interested consumers will be forced to "provide proof that they are a licensed law enforcement professional," and even then, it will run you anywhere between $399.95 to $499.95 depending on your exact profession. But hey, we're sure you know a private investigator or police officer who can hook you up, right?

[Via DragonSteelMods]

Filed under: Desktops, Laptops, Peripherals

Tags: apple, apple keychain, AppleKeychain, cops, crime, criminal, encryption, extracting, forensics, law enforcement, LawEnforcement, mac, maclockpick, os x, OsX, password, police, security, subrosasoft, usb, usb drive, usb key, UsbDrive, UsbKey

Subscribe to these comments

Reader Comments (Page 1 of 1)

Highly Ranked

Chris @ Apr 30th 2007 2:20AM

System must be in a logged-in state: "MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep." http://tinyurl.com/yuhx9j

Neutral

Nogami @ Apr 30th 2007 3:25AM

Sounds like OS X should refuse to mount any USB / Firewire / CD or DVD media when it's in sleep/lock mode (or at least have an option to do so). That way nothing plugged-in would have any effect unless the user entered their password first.

Realistically, logging-out is probably a better idea than leaving your machine logged-in and sleeping if you have confidential information on it.

Neutral

manfesto @ Apr 30th 2007 2:21AM

Will this program work if FileVault is turned on? If so, then I can realistically see people buying it just because they forgot their FileVault password :)

Low Ranked

Joe Smith @ Apr 30th 2007 2:31AM

Boom, baby.

Neutral

Preston Ursini @ Apr 30th 2007 2:34AM

This thing is a gimmick to get unsavvy investigators to cough up the money for something they don't need. It's like a jump drive with U3 that copies things over once it is plugged in. Whoop de doo. Seems like it would be easier to just go to the suspect, demand the password, and if he refuses, charge him with obstruction of justice. Problem solved.

Highly Ranked

dlx @ Apr 30th 2007 2:51AM

Except for the fact that he doesn't have to SAY anything, including his password, that could incriminate himself. That's what we call the 5th amendment. I see you haven't thought your cunning plan all the way through.

Neutral

Patrick @ Apr 30th 2007 7:44AM

Except for the fact that currently US law enforcement is happily running over the 5th amendment like an SUV over a gum wrapper.

Low Ranked

dosguy @ Apr 30th 2007 11:45AM

The government will just torture a suspect until he gives up the password. Welcome to 21st Century Amerikkka.

Neutral

guns @ Apr 30th 2007 3:27AM

The "investigator" actually has to open maclockpick.app (or whatever) in the finder in order to nab all the juicy stuff. Kind of inelegant, since the largest point of this seems to be to covertly pull information from a computer without actually taking the whole system (and thus the hard drive).

With regards to filevault: encrypting your home directory is useless if you set your computer to auto-login or not require a password to wake from sleep. Furthermore, I believe that system logs are not encrypted by default in filevault, so activity can still be gleaned from those.

Highly Ranked

Dan @ Apr 30th 2007 3:49AM

Some bozo is actually going to buy this thing and never use it. Unless the cops bust into a suspects house WHILE he's using his computer and the guy doesn't close it up in time to put it to sleep they get nothing.

-or-

Apple can issue a software update to disbale the thing in the next 2 days.

Neutral

Aazp @ Apr 30th 2007 7:00AM

that's why you never leave your computer logged on, or without password request to wake from sleep/screenSaver.

It's also intelligent to et your main keychain so it locks when sleeping and after some time not in use. You can also change it's password from the user password

Neutral

Mr. Shrubber @ Apr 30th 2007 7:33AM

That's why you store sensitive information in an encrypted disk image and — if you're a sane person — don't store the password to that image in your login Keychain.

I have seperate encrypted disk images for certain types of data: one for all my serials and registration codes, one for my banking information, one for my private email/chat logs, ...

Neutral

BoZs13 @ Apr 30th 2007 8:14AM

word!

Neutral

Mark @ Apr 30th 2007 9:33AM

Oh yeah, right, this is for cops. Why would a legitimate "law enforcement professional" need "fast access to the suspect's critical information with as little interaction or trace as possible"?

Neutral

Patrick @ Apr 30th 2007 6:10PM

My sentiments exactly. We'll see "law enforcement professional"s breaking into Macs left and right and blaming Apple for making OS X sooooooo easy to break into.

@Dan - Apple should release an update and disable this thing.

Legitimacy will not even be an issue when it comes to the "law enforcement professional"s who will get their hands on these things. Remember the general rule: If it can be made, it can be copied.

Neutral

Ron Larson @ Apr 30th 2007 10:21AM

I can't wait until TrueCrypt gets ported to OSX (or at least Java). It has plausible denyability, is open source, is free, and in my opinion, is the most trustworthy option out there.

Neutral

DigitalForensicGradStudent @ Apr 30th 2007 11:08AM

haha this cracked me up.

If we want to get into your system we will. That being said, we need a warrant for it. If there is no warrant, there is no accessing a system. If we do get a warrant for your computer... we will get the data we a searching for.

no technician in their right mind would just sneak that into a system, even if does have desired results (which I doubt it does), it would completely ruin an investigation.

Neutral

James @ Apr 30th 2007 12:27PM

A bit OT, but if Engadget people are reading this: peppering your posts with links to search your own site about completely random words (police officer --> http://www.engadget.com/search/?q=police) buys you nothing, and costs about half your readers a wasted mouse-over. Seriously, track those links and see how often they're clicked, compared to how often people click a real (off-site or previous-post) link. I bet you a dollar that 100% of the search query links for generic terms like "police" are clicks from people who didn't look where the link pointed before clicking.

Please stop.

Neutral