Give
this a read. If you have FV2 enabled and you setup a firmware password to prevent booting from peripheral devices, you are in good shape just logging out.
Read
this also.
These hacks and the Passware software mentioned require direct memory access (DMA) through either a Firewire or Thunderbolt port, and if you enable a firmware password this shuts down that access.
The only hack I have seen that would conceivably work with both FV2 and firmware password involved introducing a hacked Thunderbolt device that grabs your password the next time you boot. This would require say a maid at a hotel to swap maybe your Thunderbolt ethernet adaptor with a hacked one. Then when you logon the hacked device intercepts your password. Then the maid would have to come back a second time and steal your machine now with the password intercepted. Even the article on this hack seemed vague on the impact a EFI (firmware) password would have. This same hack can be accomplished (according to the article) by removing the drive from your machine and using another machine to hack the EFI partition, then put the drive back. But again, this just captures your password when you enter it.
I know the popular cliche often posted here is "if the thief has physical to your machine they can get in", but I have not seen a documented case where anybody could gain access on a newer Intel Mac with both FV2 and EFI password protection.
If someone has an article showing that this has actually been done, I would be interesting in reading it. I don't say this to be argumentative, I am genuinely curious if anybody has seen documentation of this actually being done.
The only thing I have read that theoretically could work is freezing and removing RAM chips to capture a password left in RAM, but again I have not seen an actual test case where this worked on a Mac.
Good discussion.
