Security concerns on Apple's FileVault decryption via FireWire

Yesterday's news of Passware's ability to decrypt FileVault-encrypted Macs in under an hour may have some people concerned about what this means for Mac security. After all, the purpose of encryption is to keep people from easily accessing the data on your drive, and yet Passware shows that in the hands of a capable person, your drive's encrypted contents might quite easily be uncovered.

Security experts speculate that the 128-bit XTS-AESW encryption used in FileVault would take millions of years to crack with a brute-force approach, so while Passware's approach clearly does not employ a brute-force option, why is it able to crack it in under an hour?

One reason might be that there is a flaw in the encryption technology itself that Passware's code exploits, but the real issue here stems not from FileVault, but rather from an age-old criticism of FireWire technology: Direct Memory Access (DMA) through a communications port.

The FireWire controller is one of several technologies that uses DMA, which is an integral feature that allows access to memory contents without the need for mediating instructions from the CPU (programmed code such as that in an operating system), thereby reducing overhead and improving system performance during data transfers.

Unfortunately this same feature also gives FireWire its drawbacks. The direct memory access gives peripheral devices unmoderated ability to read and write both system memory and that on PCI cards, which can contain anything from passwords to encryption keys being actively used to store files on a FileVault, BitLocker, or TrueCrypt drive.

In addition to direct memory access, FireWire uses peer-to-peer interaction between devices, which permits them to communicate on the hardware level for features such as Target Disk mode, but also allows peripherals to communicate with system hardware underneath the operating system. This was seen in 2004 at the PacSec conference, where as described in CoreSecurity's "Bad Peripherals" publication (pdf), it was demonstrated that an iPod could be used to access and modify active memory on multiple computer platforms.

These drawbacks in FireWire have been widely discussed in the context of malicious and investigative intent, and as a result the news from Passware is nothing new, but instead is just a continuation of these discussions with the capabilities of memory snooping via FireWire now including the ability to use it for accessing encryption keys stored in memory.

This type of attack can only happen if a system has any communications port technology that supports DMA, which not only includes FireWire but also Apple's new Thunderbolt connector, making it highly likely that your Mac is one of them. However, the chances that your system would be attacked in this way are quite slim, especially because of the requirements needed to pull off this hack:

1. Physical presence
   In order to work, the system needs to be accessed directly through its FireWire port by another device, which means an attacker would need to sit next to your system with it attached to a computer of his own.


2. Expensive tools
   So far the tools available for this type of attack are rather expensive, at just under $1,000 per license, making them unattractive options to would-be thieves and more in the realm of government and educational organizations. While this might change in the future, for now it is a substantial restriction for the common thief.


3. Specialized tools
   Not only are the tools expensive, but they need to be properly tested to reliably image the memory data. If an error occurs when imaging memory, then the system has a high chance of crashing, which is good news for your data since it means the system would need to be restarted, resulting in a wipe of its memory and loss of the decryption keys.


4. System needs to have encryption keys in active RAM
   If the encryption keys are not in active RAM, then they cannot be recovered. This hack does not extract them from their storage location on disk, and the only way they will be in RAM is if you have the encrypted disk mounted, which provides an easy solution for any external and secondary drives you may have.

In other words, because of the stringent requirements for obtaining the encryption keys, it is highly unlikely that a thief would uncover your files. Instead, it is far more likely that a thief would format the drive and get rid of the system to the quickest and highest bidder. Nevertheless, if you are still concerned, then there are a couple of things you can do to prevent such access to your system and protect your data.

After reading about Passware's abilities, some have suggested that people disable their FireWire ports in OS X, either by doing so in the Network system preferences or by removing FireWire-related kernel extensions, thinking that by doing so they would thwart any intrusion from the port. Unfortunately, doing this will not change a thing. While disabling the port in software will prevent the OS from interacting with it, as long as the port has power and is recognized by the firmware, then the controller itself will still be active and its DMA features will continue to allow memory access.

1. Firmware password
   A true fix to this issue would be some method for interrupting the FireWire controller's direct access to memory, which luckily can be done by enabling the Mac's firmware password, given that one undocumented effect of doing this is the disabling of FireWire's DMA feature.


2. Shut down your system
   Merely putting the computer in sleep mode will leave its RAM contents intact, even as a sleep image file, and waking the system will restore these contents. Therefore, when not using your system or transporting portables, shut it down instead of just closing the lid.


3. Use encrypted disk images
   Instead of relying solely on FileVault to encrypt your data, use encrypted disk images to further contain sensitive information, and do not put the password to these images in your keychain, as similar memory imaging techniques can uncover keychain passwords.

   Do keep in mind that this option will still keep the password for the encrypted image in memory, but will require extra effort to uncover so while more secure from a scan of a memory dump, it is not fully secure.



4. Unmount encrypted volumes when not in use
   CORRECTION (Friday, Feb 3): Unfortunately the passwords used to unlock the keys and decrypt the volume are left in memory even after the drive is unmounted, making it possible to recover the password and unlock the volume. This option should not be relied upon to prevent access to the drive from information in a memory dump; however, for external drives that can be kept separate from the system it is still recommended to keep either them or the contents on them encrypted for security purposes.


5. Enable iCloud's Find my Mac
   As a last option, you can use Apple's iCloud Find My Mac feature and use it to remotely wipe your system in the event that it is stolen. While this feature does require it to be connected to an Internet connection (something a smart thief would avoid), once you have set it to remotely wipe, then if by chance the system does acquire an Internet connection, it will delete your files.

Overall, though this news is a concern in some respects, it is not something that will change your system's security much at all. Obtaining the encryption keys has some stringent requirements such as specialized tools and skill, and its expense would likely be prohibitive to most people. The key beneficiaries to this development so far are law enforcement and government agencies that might need to crack a system for investigative purposes.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.