This device was able to gain access even when the Mac was asleep, researchers said. The hack works by forcing the computer into a reboot (ctrl+cmd+power), plugging in the special Thunderbolt device, and waiting about 30 seconds for the password to appear.
Security researcher Ulf Frisk says the issue is the result of two problems, one being the fact that Macs do not protect themselves from Direct Memory Access (DMA) attacks before the computer is started. The other is that the FileVault password is stored in clear text in memory and not automatically scrubbed once the disk is unlocked.
The password is put in multiple locations, and does apparently change location after reboots. However, it’s in a specific memory range making it fairly easy to scan for and eventually find. Frisk notified Apple of the vulnerability in August, and agreed to withhold it pending a fix, he wrote in a blog post.
“Anyone, including but not limited to your colleagues, the police, the evil maid, and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down,” Frisk pointed out.
Mac OS 10.12.2 was released last week and fixed a variety of issues including a more reliable auto unlock, graphics, and System Integrity Protection (SIP) issues on some 2016 MacBook Pros, along with a host of other stability improvements.
The Thunderbolt vulnerability was only one of the many security updates in this release: if you’re interested you can learn more about those updates from Apple’s website.
