Archive for December 18, 2013

Apple OS updates for Mavericks automatically bypass FileVault 2 login screen

December 18, 2013 12 comments

With Apple’s release of OS X 10.9.1, it looks like the automated FV 2 unlock process that Apple built into the Mavericks install process has been included with OS X updates. To illustrate, I’ve made a video showing the following process:

  • Logging into a FileVault 2 encrypted Mac
  • Verifying that I was on 10.9.0 and encrypted
  • Opening the Mac App Store and installing the 10.9.1 update
  • Mac reboots and bypasses the FileVault 2 pre-boot login screen
  • Mac automatically logs into my account

Note: The video has been edited to artificially reduce the amount of time the install process takes to run. Run time of the pre-edited video was 14 minutes.

How is the pre-boot login screen bypassed?

During the upgrade process, an unlock key is being put into the SMC by the update process to unlock the encrypted volume at boot. The reboot process then automatically clears the key from the SMC. This process is similar to how fdesetup authrestart works, except that the user is not being prompted to authorize it.

How is the Mac automatically logging into my account following the update?

This question is unresolved at this time and this behavior is worrisome to me. Walking away at the wrong moment may give an opportunity for someone to get physical access to my Mac without my knowledge.

The length of that window of vulnerability is going to be determined by when the screensaver kicks in, as enabling FileVault 2 will also set your Mac to require your account’s password before exiting the screensaver.

Do you have information about how the Mac is automatically logging into an account after an update? Please let me know in the comments.

%d bloggers like this: