Mac OS X password recoverable from RAM?
In a recent post over at Ars Technica, they say that Mac OS X users could have their login passwords recovered through physically accessing the RAM. This comes after FileVault was proven to be cracked. The article notes that Mac OS X and certain applications store the user's password in memory, leaving it there after you've logged in. While locally-running apps cannot readily retrieve the password, someone could get access to the contents of RAM after the computer has been rebooted or shut down.
This could be accomplished by physical means and might require the hacker to remove the RAM cover on your Mac and chill the RAM, as suggested by Edward Felten's research team at Princeton. This freezing allows the information to stay on the RAM for longer than the normal 2.5 to 35 seconds -- allowing someone to place it in another computer and read the contents.
In a separate approach to the password-in-RAM vulnerability, CNET witnessed an EFF demo of an attack using a custom NetBoot "EFI memory scraper" to record the RAM contents on reboot and save the data as a file on another machine over the network -- the attackers were able to clearly find the login password in the file. Again, this attack requires physical access to the machine (in order to force the NetBoot via holding down the N key on restart) within a minute or two of shutdown. However, an attacker could conceivably target a machine that was locked or sleeping (with RAM contents 'live'), power it off and back on, and use the NetBoot attack immediately.
While Apple has been made aware of the attack (notified on February 5), no fixes for these issues were reported in the 2/11 security update. According to CNET, an Apple spokesperson said they were aware of the issues and were "working to fix it in an upcoming software update." Until this update comes out, you may want to set a firmware password for your Mac, or wait longer to leave your unattended Mac after a shut down. Alternatively, we have lovely TUAW-branded tin foil hats available for purchase.
[via Ars Technica]
