Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3
ZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.
In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
The issue was noted last Friday by David Emery on the Cryptome mailing list.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.
The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.
Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.
Popular Stories
Apple is "shaking up its color palette" for its iPhone 16 lineup this year, according to well-connected Bloomberg reporter Mark Gurman. Early iPhone 16 Pro dummy models via Sonny Dickson According to Gurman, the iPhone 16 Pro models will come in a Gold Titanium to replace Blue Titanium, while the Black, White, and Natural Titanium options that debuted with the iPhone 15 Pro will remain...
Apple's next-generation iPhone 16 series is expected to launch on September 20 and will compete in a quickly evolving smartphone market, and with some notable upgrades rumored, the new models could see price changes compared to previous years. Successive iPhone models always come with new features and hardware upgrades, but Apple typically does not increase the retail prices as a result....
Bloomberg's Mark Gurman today shared his final expectations for Apple's "It's Glowtime" event, providing some new tidbits and clarifications about the new devices set to be announced on Monday. iPhone 16 Pro Along with larger 6.3- and 6.9-inch display sizes, the iPhone 16 Pro and iPhone 16 Pro Max will have bezels that are "now about a third slimmer" for a "sleeker overall look." The...
iOS 18 has been in beta testing for nearly three months, and the software update will finally be released for all compatible iPhones soon. Apple should reveal iOS 18's exact release date during its September 9 event, with the most likely possibility being Monday, September 16. Below, we have highlighted eight key new features included in iOS 18. Note that Apple Intelligence is not coming...
The Apple Watch Series 10 will include a new sleep apnea detection feature, but it may not be available as soon as the new model launches, according to Bloomberg's Mark Gurman. Sleep apnea detection, which builds on the watch's existing sleep tracking, will attempt to determine if a wearer has sleep apnea and then suggest further testing with a medical professional. Gurman had expressed...
The upcoming iPhone 16 Pro might break a seven-year streak at Apple. Taiwanese research firm TrendForce today reported that the iPhone 16 Pro will start at $1,099 in the U.S. with 256GB of storage, whereas the iPhone 15 Pro starts at $999 with 128GB of storage. If this information is accurate, it means that the iPhone 16 Pro will cost more for customers who otherwise would have opted for a...