Hello,
I have used FileVault for some time and believe it is an important piece of securing one's data. Please bear with me, but I have some questions:
Recently my 2011 MBP was in closed-lid/sleep mode, and I was away from it for a short time (~2 hours) after forgetting my backpack (luckily it doesn't appear anything was taken from my bag). Long story short, someone may have had physical access. I checked the terminal and saw nobody had booted it up since I left it (using the "last" command), and there was no "LidOpen" message in the console indicating the lid had been opened and awakened from sleep other than when I had done so previously that evening. (Nobody else knew my password, and when I unlocked the sleep with my password, everything appeared exactly how it was).
1. I saw on other threads that DMA attacks on FileVault equipped via FireWire were previously patched in Lion 10.7.2; is this the case for Thunderbolt as well (Apologies if this is beating a dead horse. One example is Inception github.com/carmaa/inception that is blocked via FireWire after Lion but not for Thunderbolt on older Macs.)?
2. Out of curiosity, in the case a DMA attack is possible, would their be any immediate use to an attacker obtaining the decryption key if they do not reboot the computer (my understanding was that they would have to start the computer in recovery mode to unlock the drive using the decryption key in the terminal or via Disk Utility, though obviously that would mean the computer would have rebooted and my terminal history would have shown it)?
3. For a non-DMA attack like Thunderstrike 2 (which I understand to the author's knowledge is not in the wild), is it required that the computer is rebooted to load malicious code from the option ROM of a thunderbolt device?
In short, is there any way an attacker could have obtained data from my FileVault equipped 2011 MBP, without waking the computer from lid-sleep or rebooting (also not counting opening the MBP and removing the RAM, SSD, or knowing my password), via an external device (SD card, Thunderbolt, USB, etc.)? And if so, would the MBP have recorded activity in the console while in sleep?
Thanks MacRumors.
I have used FileVault for some time and believe it is an important piece of securing one's data. Please bear with me, but I have some questions:
Recently my 2011 MBP was in closed-lid/sleep mode, and I was away from it for a short time (~2 hours) after forgetting my backpack (luckily it doesn't appear anything was taken from my bag). Long story short, someone may have had physical access. I checked the terminal and saw nobody had booted it up since I left it (using the "last" command), and there was no "LidOpen" message in the console indicating the lid had been opened and awakened from sleep other than when I had done so previously that evening. (Nobody else knew my password, and when I unlocked the sleep with my password, everything appeared exactly how it was).
1. I saw on other threads that DMA attacks on FileVault equipped via FireWire were previously patched in Lion 10.7.2; is this the case for Thunderbolt as well (Apologies if this is beating a dead horse. One example is Inception github.com/carmaa/inception that is blocked via FireWire after Lion but not for Thunderbolt on older Macs.)?
2. Out of curiosity, in the case a DMA attack is possible, would their be any immediate use to an attacker obtaining the decryption key if they do not reboot the computer (my understanding was that they would have to start the computer in recovery mode to unlock the drive using the decryption key in the terminal or via Disk Utility, though obviously that would mean the computer would have rebooted and my terminal history would have shown it)?
3. For a non-DMA attack like Thunderstrike 2 (which I understand to the author's knowledge is not in the wild), is it required that the computer is rebooted to load malicious code from the option ROM of a thunderbolt device?
In short, is there any way an attacker could have obtained data from my FileVault equipped 2011 MBP, without waking the computer from lid-sleep or rebooting (also not counting opening the MBP and removing the RAM, SSD, or knowing my password), via an external device (SD card, Thunderbolt, USB, etc.)? And if so, would the MBP have recorded activity in the console while in sleep?
Thanks MacRumors.
Last edited: