MacBook Air EFI Password Reset

[sayagain]

A little while ago a group of researchers from Princeton University showed the world some practical uses of the RAM Remnants exploit.

And then CNet's own Declan McCullagh had one of the Princeton researchers drop by and Hack his own MacBook FileVault.

This basically meant that no data is really protected from unauthorized access no matter how sophisticated an encryption or access-control program is being used (including "PGP WDE for Mac", and "Checkpoint Pointsec for Mac" and of course "Apple FileVault"), just as long as the host computer is caught with its "pants off" - that is, when it's either turned on and authenticated (even if screen-locked with password), or within a (max~) minute after it's been turned off, or while sleeping (again, even if locked upon resume), and in some cases, hibernated. Actually, if Whole-Disk-Encryption is being used, just the pre-boot authentication is enough - user does not have to be logged on to the OS for the exploiter to access the data (unless FileVault is also used On-Top)

I wasn't comfortable knowing that I couldn't protect my data even if I wanted to, without losing too much Functionality (sleep, screenlock, even log out) ... and Comfort (counting 2 minutes after power off?!)

So after some researched I figured that the MacBook Air, was an ideal (perhaps unintentionally) protection against such exploits, due to its: (1) Soldered Ram - cannot cool and mobilize (2) EFI standard firmware-password - locking ability that does not allow booting from an alternate medium (3) Inability to reset EFI password - by altering the motherboard RAM configuration (July-2008 Article "Except MacBook Air" - article not updated since Rev B appeared)

My problem is, now that I want to buy MBA (Late 2008), a new Apple article appeared: November-2008 Article (MacBook Air Late 2008) suggesting that you can possibly get your lost password reset by a Genius or an Authorized Service Provider.

That scares me, because I can't tell from that new Article if there's a new undocumented way to reset the MBA EFI password, such as a new boot key combination, or a new on-board Jumper Setting or Shorting technique that that prevents "Bricking" MBA's (Late 2008)... Quite honestly, I don't have an actual proof that an MBA Rev A (Early 2008) customer had to have his motherboard replaced if password is lost, so a possibly undocumented Apple workaround could have existed prior to the November-2008 article. But the new article specifically invites MBA Rev B owners to visit service center, not Rev A.

Whatever the workaround may be, I would hope that the procedure renders the RAM remnant exploit impossible (example: the machine has to disconnect power long enough for data on RAM to fully decay, or a RAM zeroing function is completed by EFI prior to resetting NVRAM/Password, etc)

Does anyone have any additional information that could help me understand if MBA Rev B is still secure in that context, or if MBA Rev A really ever was?

p.s. If you think I'm being "overly concerned" about my privacy, like I'm a secret agent or a completely psych paranoid, think again. You don't really know what you have to lose until you've lost it. I'm talking programmers, designers, husbands, wives, attorneys, accountants, and Apple Product Managers with their future products lineup and launch schedule on their laptop hard drives, all protected by a mere false sense of security. a "password". hmm...

 

[TWEO]

Sounds to me as if you're working for some kind of intelligence agency, but if that's the case, you're probably not at liberty to choose your own laptop

 

[glitch44]

i'm assuming you already keep your important files in an encrypted Truecrypt partition? An encrypted truecrypt partition w/ cascading algorithms + EFI password + secure virtual memory + soldered RAM + always shutting down rather than putting it to sleep when it's out of view + screensaver password is pretty damn secure.

AFAIK, truecrypt doesn't store password hashes in RAM, so a RAM hack is useless and even if you hacked the EFI + Boot password, you'd still need to get the truecrypt password or password + key file.

 

[h1d]

Wow, nice research. Didn't think I'd see anything academic but fights against Apple fans on this forum

That was an easy to understand video.

As for the RAM being soldered, they can still cool it down and if they have the skills, they could reroute the RAM onto some other mobo they have next to it bypassing the MBA's EFI completely before the RAM content vanishes?

Personal computers may not have much to upset one if it's stolen data wise, but this is a big topic for coorporate computers, where it does matter and information could worth a fortune if it could be snapped out.

Although, bit of a joke, but MBA is too expensive for any corporate to have a wide deployment, making the thievs treat MBA as just a personal hobby computer

OTOH, I hate having TrueCrypt installed, while it may help (likely), but having a chance of having a hidden volume will have you tortured unless you tell them the key, and since there is no way to verify its existence, you will be in bad situation if someone thinks you might have one even if you don't...And what's worse, you can't also prove there isn't one. It's funny that academic research says otherwise, telling you are safe because no one can tell you there is one. But I guess it's a complete crap, and only works if you are caught by the 'friendly' people where being silence somewhat works.

When a bad guy gets caught by a good guy, TrueCrypt works by shutting them up.
When a good guy gets caught by a bad guy, TrueCrypt will kill you.

It's a bit of a joke, but you could make a big encrypted disk image and name and put them alongside a bunch of porns and make sure other porns are real, and if one went to play the encrypted disk image, just say 'download corrupt?'. It's better to let them drop the hope of you having something valuable. Having password and encryption tools in the computer make people rather drool and not give up, because all you need is the person him/herself to unlock it as the last resort.

Seems about time RAM manufactures start contributing to security matters. (Like instant erase on power off etc)

 

[sayagain]

i'm assuming you already keep your important files in an encrypted Truecrypt partition? An encrypted truecrypt partition w/ cascading algorithms + EFI password + secure virtual memory + soldered RAM + always shutting down rather than putting it to sleep when it's out of view + screensaver password is pretty damn secure.

AFAIK, truecrypt doesn't store password hashes in RAM, so a RAM hack is useless and even if you hacked the EFI + Boot password, you'd still need to get the truecrypt password or password + key file.

It took me 35 minutes with princeton's cold boot attack freely available tools to get the private key in it's unencrypted form from a MacBook Pro protected with all above measures (of course I didn't know what to do with it once I had it, but that's another story) But I think if I had 2Gb of RAM instead of 4Gb it should have taken me only 20 minutes. Hmm... Funny to note the key probably either existed in the first Dimm, or else the 2nd Dimm I took out for ~1min to get around EFI password still had the key stored

 

[sayagain]

Sounds to me as if you're working for some kind of intelligence agency, but if that's the case, you're probably not at liberty to choose your own laptop

Knock Knock. Wake up Tweo. ... Oh you know what.. Ignorance is Bliss.. back to sleep now

 

[sayagain]

As for the RAM being soldered, they can still cool it down and if they have the skills, they could reroute the RAM onto some other mobo they have next to it bypassing the MBA's EFI completely before the RAM content vanishes?

I've amused myself with that thought too. This is so complicated that it would be too expensive to execute, and is out of the scope of my threat profile, as the data I wish to protect is not that valuable to anyone.

Although, bit of a joke, but MBA is too expensive for any corporate to have a wide deployment, making the thievs treat MBA as just a personal hobby computer

Perhaps, but one could claim the contrary - thieves may perceive the bloke with the MBA to be some spoiled/mobility-conscious executive, and some worth while data "should be there". You are also limiting the threat scope to random thieves (big problem these days - where I live junkies on motorcycles are snatching laptops from coffeeshop tables and selling it to you after wards, just like they used to do with cell phones for their mere hardware worth), rather than thieves hired by corporate greedsters to get this or that guy's data while on the go.

OTOH, I hate having TrueCrypt installed, while it may help (likely), but having a chance of having a hidden volume will have you tortured unless you tell them the key, and since there is no way to verify its existence, you will be in bad situation if someone thinks you might have one even if you don't...And what's worse, you can't also prove there isn't one. It's funny that academic research says otherwise, telling you are safe because no one can tell you there is one. But I guess it's a complete crap, and only works if you are caught by the 'friendly' people where being silence somewhat works.

I see what you mean. I guess it is only a matter of time before TC pops a feature to have 2 hidden volumes. With their Millions of users, I'm sure they've heard this feature request several times.

It's a bit of a joke, but you could make a big encrypted disk image and name and put them alongside a bunch of porns and make sure other porns are real, and if one went to play the encrypted disk image, just say 'download corrupt?'. It's better to let them drop the hope of you having something valuable. Having password and encryption tools in the computer make people rather drool and not give up, because all you need is the person him/herself to unlock it as the last resort.

Well all you need is a good decoy - like an old or non-working version of your software source code, etc.

Seems about time RAM manufactures start contributing to security matters. (Like instant erase on power off etc)

IBM and other companies offer desktop machines with battery-backed anti tampering security chip that wipes the ram content. It's important to remember that data remnants in ram is known as a security threat for decades. Only thing changed is how easy it is for a punk with half a brain to make a business out of snatching and selling-back laptops, with free to download tools.

 

[sayagain]

You know whats worst? PC users don't have this problem. They have TPM chips and BIOS. The can just go on SonyStyle.com or Lenovo.com and have their new laptop shipped with a hardware-based whole-disk-encrypted disk, for just a few bucks extra. @


Anyone could answer the question in bold in the original post?

 

[glitch44]

It took me 35 minutes with princeton's cold boot attack freely available tools to get the private key in it's unencrypted form from a MacBook Pro protected with all above measures (of course I didn't know what to do with it once I had it, but that's another story) But I think if I had 2Gb of RAM instead of 4Gb it should have taken me only 20 minutes. Hmm... Funny to note the key probably either existed in the first Dimm, or else the 2nd Dimm I took out for ~1min to get around EFI password still had the key stored

was the truecrypt partition mounted at the time?

if you avoid using sleep and completely shut down the computer when you're done, i though the cold boot attack is ineffective against Truecrypt partitions. if you've successfully hacked a truecrypt partition in this manner, I will be suitably impressed.

 

[sayagain]

was the truecrypt partition mounted at the time?

if you avoid using sleep and completely shut down the computer when you're done, i though the cold boot attack is ineffective against Truecrypt partitions. if you've successfully hacked a truecrypt partition in this manner, I will be suitably impressed.

Whoa.. hold your horses.. Mounted. Actually it wasn't a partition but a volume, though it does not matter. I mentioned wanting to avoid loss of functionality and comfort, I like sleep and screen lock - very useful when going out for a stroll, or simply taking a p**s

 

[glitch44]

You're joking right.. Mounted. And it wasn't a partition it was a volume, not that it matters. I mentioned wanting to avoid loss of functionality and comfort in the original post.

okay, so you almost (but not really) did a cold boot attack against a macbook pro with removable RAM on a MOUNTED volume? Of course mounted volumes are vulnerable. That's the trade off between comfort and security. You know how you protect against this? Make sure a team of ninjas doesn't break into your hotel room and steal your laptop before you've had a chance to shut it down for the night.

edit:
yeah, i like sleep and screen lock too, that's why i use them instead of shutting down my laptop any time it's out of my physical control-- which would be a better policy. but if lost or stolen, i have confidence that 99% of the people in the world wouldn't know (or care) how to find and crack my truecrypt partition-- but i also don't have anything sensitive. if you do, i'd go for an IBM with hardware FDE + smart card + truecrypt... etc, etc all that crazy stuff.

 

[h1d]

Although you might not have anything sensitive, it's better to think in terms of what would be the worst situation for the current implementation. Just because 99% of random thieves don't know how to recover FileVault key, doesn't really mean much for a security perspective. That said, my current environment sucks big time, someone take it, remove SSD, everything is theirs...

 

[fteoath64]

Whoa.. hold your horses.. Mounted. Actually it wasn't a partition but a volume, though it does not matter. I mentioned wanting to avoid loss of functionality and comfort, I like sleep and screen lock - very useful when going out for a stroll, or simply taking a p**s

Hold your horse Kimoslabi, you are assuming the machine uses ASCII character set. Well I transposed it to a alien non-ASCII, only known to me character set and unknown file system. And store it as a blob of giberish in ASCII. You go mount that in any microkernel and call me in a trillion years.

 

[sayagain]

Hold your horse Kimoslabi, you are assuming the machine uses ASCII character set. Well I transposed it to a alien non-ASCII, only known to me character set and unknown file system. And store it as a blob of giberish in ASCII. You go mount that in any microkernel and call me in a trillion years.

Hands down, that's pretty clever! can I do that? How?
Are there any downsides, like, can I still write/read files in ASCII/UNICODE?