Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3

by

filevault iconZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.

In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

The issue was noted last Friday by David Emery on the Cryptome mailing list.

This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.

The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.

Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.

Popular Stories

iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Rumored to Use Same Rear Chassis as iPhone 16

Friday July 19, 2024 7:16 am PDT by
Apple will adopt the same rear chassis manufacturing process for the iPhone SE 4 that it is using for the upcoming standard iPhone 16, claims a new rumor coming out of China. According to the Weibo-based leaker "Fixed Focus Digital," the backplate manufacturing process for the iPhone SE 4 is "exactly the same" as the standard model in Apple's upcoming iPhone 16 lineup, which is expected to...
Read Full Article136 comments
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
Read Full Article129 comments
bsod

Crowdstrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

Friday July 19, 2024 3:12 am PDT by
A widespread system failure is currently affecting numerous Windows devices globally, causing critical boot failures across various industries, including banks, rail networks, airlines, retailers, broadcasters, healthcare, and many more sectors. The issue, manifesting as a Blue Screen of Death (BSOD), is preventing computers from starting up properly and forcing them into continuous recovery...
Read Full Article492 comments
iphone 14 lineup

Cellebrite Unable to Unlock iPhones on iOS 17.4 or Later, Leak Reveals

Thursday July 18, 2024 4:18 am PDT by
Israel-based mobile forensics company Cellebrite is unable to unlock iPhones running iOS 17.4 or later, according to leaked documents verified by 404 Media. The documents provide a rare glimpse into the capabilities of the company's mobile forensics tools and highlight the ongoing security improvements in Apple's latest devices. The leaked "Cellebrite iOS Support Matrix" obtained by 404 Media...
Read Full Article66 comments
Apple Watch Series 9

2024 Apple Watch Lineup: Key Changes We're Expecting

Tuesday July 16, 2024 7:59 am PDT by
Apple is seemingly planning a rework of the Apple Watch lineup for 2024, according to a range of reports from over the past year. Here's everything we know so far. Apple is expected to continue to offer three different Apple Watch models in five casing sizes, but the various display sizes will allegedly grow by up to 12% and the casings will get taller. Based on all of the latest rumors,...
Read Full Article38 comments
tinypod apple watch

TinyPod Turns Your Apple Watch Into an iPod

Wednesday July 17, 2024 3:18 pm PDT by
If you have an old Apple Watch and you're not sure what to do with it, a new product called TinyPod might be the answer. Priced at $79, the TinyPod is a silicone case with a built-in scroll wheel that houses the Apple Watch chassis. When an Apple Watch is placed inside the TinyPod, the click wheel on the case is able to be used to scroll through the Apple Watch interface. The feature works...
Read Full Article133 comments

Top Rated Comments

loveturtle Avatar
loveturtle
159 months ago
What's the difference between FileVault and FileVault 2? I use 2, but are there any reasons someone would be unable to upgrade from the original to the new version?

If not, this seems like a non-issue.

This is not a non-issue. Don't be an apologist. There are legitimate reasons to use FileVault v1 over v2. v1 encrypts your home directory while v2 encrypts the whole filesystem. If you have untrusted users on the same computer (say shared with a family) v2 will give other users full access to your files while v1 will encrypt on a per home directory basis and another user will be unable to see your files.

Even if there were no legitimate reason to use v1 over v2 that is still no excuse. This is a serious oversight with serious consequences. Now these kind of things happen and the fact that it happened is not an insult to Apple. However, there is no excuse for it going unpatched for this long. There should have been a patch immediately after it was discovered. There is no excuse for that.
Score: 15 Votes (Like | Disagree)
Small White Car Avatar
Small White Car
159 months ago
I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.
Score: 13 Votes (Like | Disagree)
3282868 Avatar
3282868
159 months ago
This is one reason why I wish Apple would start hiring more engineers instead of shuffling them back and forth between iOS and OS X departments as they have since before the first iPhone launch in 2006 (Leopard was delayed twice to an October '06 release as engineers from OS X were shifted to iOS).

It's been stated Jobs hated hiring more, and kept a tight knit group of engineers. Perhaps more would help alleviate/diminish the odds of such programming flaws. Who knows. Either way, I'm sure it wouldn't hurt.

I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?

I just feel like I'm seeing more stories like this these days than I did in past years.
Agree. From what I gather, engineers are strained, being spread across iOS OS X departments. In part to unify the group but also in keeping with Jobs' desire for a small engineering base. It seems to be negatively effecting some aspects to their OS's.
Score: 11 Votes (Like | Disagree)
tigres Avatar
tigres
159 months ago
Apple will provide a fix for all of us @ the 10.8.3 juncture.;)
Score: 6 Votes (Like | Disagree)
HelveticaRoman Avatar
HelveticaRoman
159 months ago
If Apple were an airline, there's still a better than 80% chance you'd get to your destination safely.
Score: 4 Votes (Like | Disagree)
loveturtle Avatar
loveturtle
159 months ago
On point 1 above, if you use V2 you still cannot access another users files without root access. The system owner should set a root pw. If you set a root pw then others cannot get simple access to other users folders even if they're set as admin level. Although this has nothing to do with the security issues just revealed.

That's not true. Any admin user can spawn a root shell without the root password.

turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo su
vier turtle # whoami
root
vier turtle #

No password required other than the admin user password. That's not the point anyway, system passwords should not be logged in clear text period. Again, the fact that this happened isn't as big of a problem as the fact that it hasn't been patched yet.
Score: 4 Votes (Like | Disagree)
Read All Comments