PCILeech is a $300 device that was effectively and successfully used by a Swedish hacker and penetration tester for obtaining complete control over Mac or Macbook. The hacker Ulf Frisk is the creator of PCILeech, which any hacker can use to hack a MacBook.
This particular device can hack the passcode of literally any Apple laptop even if it is in Sleep mode or is locked. Moreover, the process of stealing password takes merely 30 seconds. The attacker can easily unblock any Max PC or Laptop and also decrypt all the files present on its hard drive.
The technique devised by Frisk relies upon two significant yet lesser known designing faults in Apple’s FileVault2 full-disk encryption software. Frisk wrote a blog post to explain his findings and the process in detail. According to his blog post, the MacOS FileVault2 allows attackers “with physical access” to obtain the password in the clear text simply by plugging in the “$300 Thunderbolt device” regardless if the mac is sleeping or locked.
“The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable,” wrote Frisk.
The faults in MacOS identified and exploited by Frisk include the insufficient protection against Direct Memory Access (DMA) attacks prior to the starting of MacOS. It was noted by Frisk that the Mac EFI (Extensible Firmware Interface) allows the devices that are plugged in over Thunderbolt to control memory without activating DMA protections. This hint upon the fact that Thunderbolt devices are equipped with read and write access to the memory.
The second issue exploited by Frisk is that MacOS stores password to the FileVault encrypted disk in clear text format in memory even if the computer is locked or in Sleep Mode.
“The second issue is that the FileVault password is stored in cleartext in memory and that it’s not automatically scrubbed from memory once the disk is unlocked. The password is put in multiple memory locations – which all seems to move around between reboots, but within a fixed memory range,” explained Frisk.
It is worth noting that PCILeech is a device that can automate DMA attacks and obtain Mac FileVault2 passwords in seconds. Frisk has notified Apple about the results of the research and the company has shown commitment to issuing a fix with the Mac OS 10.12.2, which is due to be released this week. We suggest that you update your Mac as soon as possible.