Home > FileVault 2, Mac administration, Mac OS X > Apple OS updates for Mavericks automatically bypass FileVault 2 login screen

Apple OS updates for Mavericks automatically bypass FileVault 2 login screen

With Apple’s release of OS X 10.9.1, it looks like the automated FV 2 unlock process that Apple built into the Mavericks install process has been included with OS X updates. To illustrate, I’ve made a video showing the following process:

  • Logging into a FileVault 2 encrypted Mac
  • Verifying that I was on 10.9.0 and encrypted
  • Opening the Mac App Store and installing the 10.9.1 update
  • Mac reboots and bypasses the FileVault 2 pre-boot login screen
  • Mac automatically logs into my account


Note: The video has been edited to artificially reduce the amount of time the install process takes to run. Run time of the pre-edited video was 14 minutes.

How is the pre-boot login screen bypassed?

During the upgrade process, an unlock key is being put into the SMC by the update process to unlock the encrypted volume at boot. The reboot process then automatically clears the key from the SMC. This process is similar to how fdesetup authrestart works, except that the user is not being prompted to authorize it.

How is the Mac automatically logging into my account following the update?

This question is unresolved at this time and this behavior is worrisome to me. Walking away at the wrong moment may give an opportunity for someone to get physical access to my Mac without my knowledge.

The length of that window of vulnerability is going to be determined by when the screensaver kicks in, as enabling FileVault 2 will also set your Mac to require your account’s password before exiting the screensaver.

Do you have information about how the Mac is automatically logging into an account after an update? Please let me know in the comments.

  1. December 18, 2013 at 5:42 pm

    I encountered this “feature” on a non-FV-enabled iMac. Automatic login was turned off. Clicked “Restart Now” in the Notification Center pop-up. OS update applied, computer restarted, and then automatically logged back in, seeming to bypass the preference I’d set in the Security&Privacy system prefs pane. Restarting normally, the computer obeys the preference I’d set and asks for password at login window.

  2. syuroff
    December 18, 2013 at 5:51 pm

    “Walking away at the wrong moment may give an opportunity for someone to get physical access to my Mac without my knowledge.”
    Unless if you’re using a form of electronic proximity sensing, when is this not a true statement?

    • December 18, 2013 at 6:06 pm

      Indeed, but prior to Mavericks, wrong moments had not included “running an automated software update that includes a reboot.” Prior to Mavericks, a FileVault 2-compatible Mac whose boot volume was encrypted with FileVault 2 would have run the update, rebooted and then stopped at the pre-boot login screen because the disk was locked.

      If the user was away from their desk, the Mac would have then shut off after a few minutes, leaving the disk’s encryption locked and no window of opportunity for access by an unknown party.

  3. John
    December 18, 2013 at 7:46 pm

    As far as FV goes, of course that needs to have the key put in the SMC so that it is available at boot.

    As far as login goes, there is nothing special about user login for the OS to have to do backflips to bypass. As a convenience, the OS provides an authentication mechanism (user/pass smartcard/pin etc) that says “once you are who you say you are, we’ll let you in”

    There is nothing stopping apple from implementing (in this case) an authorization rule that amounts to “Yeah yeah, saw your id already, walk right in.” /Because thats already how it works/

    What happens if you run an update as an AD/OD user, then change their password/disable their account as the machine power cycles? I bet it logs in anyway.

    I apologize that I don’t have the technical expertise to describe how apple is doing this

    • John
      December 18, 2013 at 7:49 pm

      – But what I think i am getting at is, I don’t think they are secretly caching credentials, its much more likely that they are bypassing a credential check at next boot and telling the kernel “yup, load the loginwindow.app as that guy”

    • R0xd
      January 6, 2014 at 10:30 am

      Remember that AD users cannot have filevault. Only autologin.

      • January 6, 2014 at 11:47 am

        As long as they’re set up as mobile user accounts, users from a directory service (Active Directory, Open Directory, OpenLDAP, etc.) can be enabled for FileVault 2.

  4. December 18, 2013 at 10:37 pm

    Yes, but do we trust Apple enough to keep that secure? What’s to stop a third party from accessing that same lock bypass to fool the kernel into logging in as “that guy” in the future?

  5. December 19, 2013 at 8:12 am

    Rich, see the post I’ve made contributing to the investigation. My money is on the option flag in the distribution description file within that package. Link below:

    https://cobbservations.wordpress.com/2013/12/19/examining-the-contents-of-osx-update-packages/

    • December 19, 2013 at 8:13 am

      PS…I don’t have any money.

      • December 20, 2013 at 12:55 am

        Updated the above-linked post after doing some more testing. Let me know your thoughts.

  6. fistofdeath
    December 24, 2013 at 7:26 pm

    I just updated my filevault-encrypted Retina MacBook pro from 10.9 to 10.9.1 using the command line. Rebooted from my account and was prompted to enter my filevault password. Perhaps Apple released a different package? Or does updating via command line vs App Store make a difference?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: