Home > FileVault 2, Mac administration > Protecting yourself against Firewire DMA attacks on 10.7.x

Protecting yourself against Firewire DMA attacks on 10.7.x

There’s been a recent flurry of news about how Macs are vulnerable to Firewire DMA attacks, following a news release by Pressware that the newest version of their Passware Kit software can decrypt FileVault.

There’s good news and bad news here. The bad news is that, under certain circumstances, it is possible for an attacker to use the Firewire port on your Mac to extract passwords and other information.

The good news is that there are defenses against these attacks. In fact, Apple has built pretty good defenses in Lion at the kernel level, as long as you’re running 10.7.2 and higher. Based on the testing shown here, the main time that 10.7.2 or higher is vulnerable to a Firewire DMA attack is when someone is logged in and the screensaver lock isn’t engaged. Even better, this protection applies whether or not the Mac is encrypted with FileVault 2.

That being said, enabling FileVault 2 encryption on a laptop should take away the option to not lock your screen, so that should secure a 10.7.x FileVault 2-encrypted laptop completely against Firewire DMA attacks unless you’re OK with someone plugging in a Firewire cable into your laptop while you’re logged in and working.

If you really want to make sure that your Mac is secured (after all, Thunderbolt’s DMA vulnerabilities are still being explored), I recommend enabling FileVault 2 to encrypt your boot drive. Once enabled, run the following command to have your Mac hibernate (where the contents of the RAM are written to disk) and also have your FileVault 2 key automatically removed from the saved RAM state when you put your Mac to sleep:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

A description of what this command does can be found here.

Once the sleep settings are changed by the above command, you’ll notice a few changes in how your Mac goes to sleep:

1. It’ll take longer – Your Mac is writing everything in RAM to disk. Depending on how much RAM you have and how fast your hard drive is, this may make the sleep process take a couple of extra minutes longer than you may be used to.

2. Your Mac won’t wake when you open the screen – Lifting the lid of your laptop won’t wake a Mac from hibernation. You’ll need to press the power button like you would if you were starting up your Mac.

3. You’ll need to enter your password twice when waking – Because your Mac’s FileVault 2 encryption key was removed from memory, when you wake your Mac it’ll look like you’re back at the FileVault 2 pre-boot login screen (though just your account will be showing.) This is because the Mac needs you to re-enter your account password to unlock the encryption and allow the contents of the saved data to be written back to RAM.

Once the contents of the saved data are back in your Mac’s RAM, you’ll be prompted for your password again. This password will be for your screensaver lock, which has engaged because your Mac has woken from sleep.

One thing to be aware of is that, as of 10.7.1 and 10.7.2, there was a bug where setting the above pmset command could cause the occasional kernel panic when the Mac was returning from hibernation. Apple knows about this and is tracking it as bug ID 10278935. If you experience it, please report it to bugreport.apple.com and reference that bug ID. That said, I have not seen it as of yet in 10.7.3. Hopefully, that means it’s now fixed.

Update – 2-12-2012: It took about a week to show up, but I’ve now had two kernel panics when returning from hibernation. Looks like this bug hasn’t been squashed yet.

  1. Mike O.
    August 2, 2012 at 9:41 pm

    Howdy–in reading this (http://www.frameloss.org/2011/09/18/firewire-attacks-against-mac-os-lion-filevault-2-encryption/) as well as some other sites that reference similar attacks on Windows, it seems another option might be to disable FireWire (under Network -> gear at bottom of left panel -> “Make Service Inactive”) or block FireWire at the firewall. This assumes you don’t need it, but may be less disruptive day-to-day than the above solution. Thoughts?

  2. darksith69
    December 21, 2012 at 3:40 pm

    It would be nice to show the counter commandline which shows the current setting without changing it, so you can verify the current setting.

  3. SeaBash
    January 3, 2013 at 5:42 pm

    darksith69 :
    It would be nice to show the counter commandline which shows the current setting without changing it, so you can verify the current setting.

    If you’re referring to the pmset command (in this article), you can crudely check all settings like this…
    pmset -g

  4. t.a
    January 28, 2013 at 6:37 pm

    does this attack still exist with thunderbolt port instead of firewire and can anyone post a link to discussions and fix etc thanks

  5. March 20, 2013 at 9:09 pm

    In response to Mike O. above, turning off Firewire in the network settings will have nothing to do with this. DMA stands for direct memory access. These attacks are trying to grab the passwords on the machine straight from the memory. This is possible because fw is sort of like having a card plugged into the machine, which is assumed to be a safe thing, and this kind of low level access could be required to make some type of new fw device possible to create. If everything was closed off, you’d potentially only have fw hard drives instead of audio interfaces (which, incidentally can keep playing audio during sleep, but not during hibernation like is described in the above post), external video capture devices and whatever else.

    I’d bet this is a similar situation with Thunderbolt if you’re using a Firewire adapter.

  6. September 2, 2015 at 3:25 am

    Hi all

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: