News Categories

Hackers can access Macs that are left in sleep mode

By Bryan Chan & Marcus Wong - on 20 Dec 2016, 9:39am

Hackers can access Macs that are left in sleep mode

A US$300 (~RM1,343) device called PCILeech has just been successfully used by Swedish hacker and penetration tester Ulf Frisk to unlock and decrypt all files over a Thunderbolt connection.

 In his words: “Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!"

It seems two issues allow this to happen:

First, Macs do not protect themselves against Direct Memory Access (DMA) attacks before macOS is running. EFI at the early stage enables Thunderbolt, which allows malicious devices to read and write memory. macOS does enable DMA protections by default, but that must be unlocked before it can be started.

The second issue is that the FileVault password is stored in clear text in memory and isn’t automatically erased once the disk is unlocked. It’s moved around between reboots , but within a fixed memory range, making it easier to target.

Frisk goes on to detail exactly how you can find the password on his blog page, but also notes that the Apple has since launched a security update with macOS 10.12.12 that successfully patches this loophole. Needless to say, we’d recommend getting it now by updating your Mac.

Here’s a video of the hack in action:

Source: Ulf Frisk’s blog,