A company that makes password recovery tools has released one that can snatch passwords from a locked or sleeping Mac running OS X Lion by plugging another computer into the Mac’s FireWire port. The attack technique is several years old and the only way to defend against it is to turn the Mac off.
Passware, which has engineering facilities in Moscow and headquarters in Mountain View, California, said its Passware Kit Forensic v11 analyzes a Mac’s live memory via FireWire. FireWire is a fast serial interface developed in the 1980s by Apple. It is also known by Sony as i.LINK and was standardized as IEEE 1394.
If a computer is turned on and has been logged into at least once, Passware’s software can extract passwords in a few minutes, even if the computer is locked or sleeping. It can even extract passwords in the Mac’s keychain password store—regardless of password strength and even if FileVault encryption is used, the company said in a news release.
The issue affects all “modern” Mac OS versions, including Snow Leopard and the latest one, Lion.
Apple officials contacted in London did not have an immediate comment.
Passware said there’s an easy defense: turn off the computer, which erases the passwords from the computer’s memory. Passware also suggested disabling the feature that automatically logs in a user when the computer is turned on, a basic security step.
The FireWire password issue has been around for some time. In 2008, Uwe Hermann—a Debian developer—compiled a list of research papers from over the years summarizing issues with FireWire. Hermann wrote that if you can gain access to a computer with a FireWire port, it is possible to read or write data in the computer’s RAM.
Other defenses against the attack include simply not having a computer with a FireWire port or plugging an existing one up. If a computer has a PCMCIA or PCI card slot, however, it could still be vulnerable if a FireWire-enabled card is inserted, Hermann wrote.
Passware’s Kit Forensic costs $995 with one year of free updates.