Here's How an Attacker can steal your Mac FileVault2 Password

Video Demonstration of the Attack

"Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the Mac is completely shut down," Frisk explained in a blog post on Thursday.

"If the Mac is sleeping it is still vulnerable. Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!"

Macintosh computers are often considered to be safer than those running Windows operating system, but a recently discovered attack technique proves it all wrong.All an attacker needs is a $300 device to seize full control of your Mac or MacBook.Swedish hacker and penetration testerhas developed a new device that can steal the password from virtually any Mac laptop while it is sleeping or even locked in just 30 seconds, allowing hackers to unlock any Mac computer and even decrypt the files on its hard drive.So, next time when you leave your Apple's laptop unattended, be sure to shut it down completely rather than just putting the system in sleep mode or locked.The researcher devised this technique by exploiting two designing flaws he discovered last July in Apple's FileVault2 full-disk encryption software.The first issue is that the Mac system does not protect itself against(DMA) attacks before macOS is started.It's because the Mac EFI or Extensible Firmware Interface (similar to a PC's BIOS) let devices plugged in over Thunderbolt to access memory without enabling DMA protections, which allows Thunderbolt devices to read and write memory.Secondly, the password to the FileVault encrypted disk is stored inin memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.Dubbedand costs approximately $300, the hacking device exploits these two vulnerabilities to carry out DMA attacks and extract Mac FileVault2 passwords from a device's memory in clear text before macOS boots, and anti-DMA protections come into effect.To do this, all an attacker needs is access to a target Mac computer for just a few minutes to connect the PCILeech hacking device to the computer via its Thunderbolt port, which would allow the attacker to have full access to its data.Frisk also provided a video demonstration, which shows how he just plugged in a card flashed with his open source PCILeech software tool into the Mac's Thunderbolt port, which ran the hacking tool on the target Mac or MackBook, rebooted the system, and read the Mac password on the other laptop.Yes, the attack only works if an attacker has physical access to a target Mac or MacBook, but all it takes is just 30 seconds to carry out successfully.Frisk reported his findings to Apple in August and the company fixed the issues in macOS 10.12.2 released on 13 December.So Apple desktop users are required to update their devices to the latest version of its operating system to be safe.