Hacked in 30 seconds: Thunderbolt flaw in Mac computers can disclose passwords that fast

If you run any type of Thunderbolt device on your Mac, you’ll want to upgrade to MacOS 10.12.2 in short order. The latest update fixes a vulnerability in FileVault 2 — Apple’s second-generation full disk encryption platform — that allowed the disclosure of your system password by simply plugging in a $300 Thunderbolt device.

This device was able to gain access even when the Mac was asleep, researchers said. The hack works by forcing the computer into a reboot (ctrl+cmd+power), plugging in the special Thunderbolt device, and waiting about 30 seconds for the password to appear.

Security researcher Ulf Frisk says the issue is the result of two problems, one being the fact that Macs do not protect themselves from Direct Memory Access (DMA) attacks before the computer is started. The other is that the FileVault password is stored in clear text in memory and not automatically scrubbed once the disk is unlocked.

The password is put in multiple locations, and does apparently change location after reboots. However, it’s in a specific memory range making it fairly easy to scan for and eventually find. Frisk notified Apple of the vulnerability in August, and agreed to withhold it pending a fix, he wrote in a blog post.

“Anyone, including but not limited to your colleagues, the police, the evil maid, and the thief will have full access to your data as long as they can gain physical access – unless the Mac is completely shut down,” Frisk pointed out.

Mac OS 10.12.2 was released last week and fixed a variety of issues including a more reliable auto unlock, graphics, and System Integrity Protection (SIP) issues on some 2016 MacBook Pros, along with a host of other stability improvements.

The Thunderbolt vulnerability was only one of the many security updates in this release: if you’re interested you can learn more about those updates from Apple’s website.