Passwords in Mac OS X can be pilfered with new tool

The tool capitalizes on a long-known issue in how FireWire can be used to read a computer's memory

A company that makes password recovery tools has released one that can snatch passwords from a locked or sleeping Macintosh running Mac OS X Lion by plugging another computer into the Mac's FireWire port. The attack technique is several years old and the only way to defend against it is to turn the Mac off.

Passware, which has engineering facilities in Moscow and headquarters in Mountain View, California, said its Passware Kit Forensic v11 analyzes a Mac's live memory via FireWire. FireWire is a fast serial interface developed in the 1980s by Apple. It is also known by Sony as i.LINK and was standardized as IEEE 1394.

[ Check out InfoWorld's review: Mac OS X Lion, more than multitouch. | Discover the key Mac, iOS, and Apple tech trends for business users. Read InfoWorld's Technology: Apple newsletter. ]

If a computer is turned on and has been logged into at least once, Passware's software can extract passwords in a few minutes, even if the computer is locked or sleeping. It can even extract passwords in the Mac's keychain password store -- regardless of password strength and even if FileVault encryption is used, the company said in a news release.

The issue affects all "modern" Mac OS versions, including Snow Leopard and the latest one, Lion.

Apple officials contacted in London did not have an immediate comment.

Passware said there's an easy defense: turn off the computer, which erases the passwords from the computer's memory. Passware also suggested disabling the feature that automatically logs in a user when the computer is turned on, a basic security step.

The FireWire password issue has been for some time. In 2008, Uwe Hermann -- a Debian developer -- compiled a list of research papers from over the years summarizing issues with FireWire. Hermann wrote that if you can gain access to a computer with a FireWire port, it is possible to read or write data in the computer's RAM.

Other defenses against the attack include simply not having a computer with a FireWire port or plugging an existing one up. If a computer has a PCMCIA or PCI card slot, however, it could still be vulnerable if a FireWire-enabled card is inserted, Hermann wrote. Another precautionary measure is to try and ensure no one gets access to your computer.

Passware's Kit Forensic costs $995 with one year of free updates.

Send news tips and comments to jeremy_kirk@idg.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies