Passware Inc. is a forensics security company that develops investigation software kits to reveal passwords on seized computers. Last year it released a version of its kit that allows an investigator to reveal the passwords of Apple's FileVault encryption technology, along with those for similar technologies such as TrueCrypt, PGP Disk, and BitLocker. Recently the kit has gained more features and now has the ability to snoop through a system's hibernation file for Google and Facebook account passwords.
The Passware snooping technology works by accessing a system's memory either through a port that has direct memory access (DMA), or by accessing a system's sleepimage (hibernation) files. It scans the contents of these resources for patterns to reveal relevant passwords.
While Passware is meant for investigative purposes only and is targeted both by intent and price to forensics institutions, Passware CEO Dmitry Sumin acknowleged that the software being available does pose a potential threat in a press release:
"There's no guarantee that professional-grade versions of Passware Kit won't fall into the wrong hands. As most users know, a running computer is insecure in many ways and leaving it unattended makes it available to unauthorized individuals. Simple advice for all users is to disable hibernation on their computers and after dealing with confidential information to power them off. Full-disk encryption also prevents access to the system hibernation file."
Ways you can secure your Mac from such attacks include enabling a firmware password to block DMA access, encrypting the hard drive with FileVault, disabling the system's sleepimage file when it's going to sleep, and simply shutting down the computer when not in use.
- Enabling a firmware password
Direct memory access to a Mac's RAM can be done through either FireWire or Thunderbolt ports, and allows programs that run on secondary systems, like Passware, to sample memory and possibly extract information. DMA is enabled by default, but you can disable it by setting up a firmware password on your system. Modern Macs use an Input/Output Memory Management Unit (I/OMMU) that connects DMA ports with the system's memory, allowing remapping of memory for virtualization purposes as well as a DMA lock that is activated whenever a firmware password is enabled.
To set a firmware password on Macs, boot your system to the OS X installer and choose "Firmware Password" from the Utilities menu that will be available once you choose your language. Then enter your password accordingly.
While beneficial for security purposes, a firmware password will prevent booting to external volumes, safe mode, single-user mode, or allow for resetting the PRAM, so if you need to perform these tasks for troubleshooting purposes, you will first need to disable the password. Firmware passwords in early Mac systems could be easily reset, but starting with its 2011 systems Apple implemented a new firmware password routine that requires resetting at an Apple service center.
- Set up a sleep and screensaver password
In addition to a firmware password, setting up a screensaver password to require authentication when the system wakes from sleep or resumes from standby will invoke the same I/OMMU lock that prevents DMA access. This can be done by checking that option in the General section of the Security & Privacy system preferences and choosing a time frame in which the password should activate.
- Enable FileVault
FileVault in OS X Lion and later offers a full-disk encryption routine that will encrypt all contents of the boot volume, including sleepimage and virtual memory swap files that may contain password information. With this feature enabled these files should be secured from access by booting the system to Target Disk mode or otherwise directly accessing the hard drive by circumventing the operating system. While the Passware forensics kit can uncover FileVault passwords, this is done through DMA ports, so if coupled with a firmware password, FileVault should be safe from this mode of attack.
- Disable sleepimage files
The sleepimage file that contains memory when the computer is hibernating may be scanned for its contents. While FileVault, a firmware password and/or a screensaver password combination should secure the image files from access if the computer is off, in sleep mode, or if the screensaver is activated, if the computer is logged in, then technically someone with physical access could access these files and copy them to an external volume for processing at a later point.
Apple's virtual memory swap files are encrypted by default, so they do not pose as much of a risk, but the sleepimage file is more accessible; however, you can disable this by modifying the system's hibernate mode that is stored in the PRAM. To do this, first read the current sleep mode value that is set for your system by opening Terminal and running the following command:
pmset -g | grep hibernatemode
With this value noted, you can disable the sleepimage by running the following command to set the hibernatemode variable to 0 (you can revert to the original state by repeating this command and replacing 0 with the value noted above):
sudo pmset -a hibernatemode 0
The hibernatemode values determine whether the system will write memory contents to disk, a feature that is not needed in most cases; however, if you often find yourself running a laptop system on low battery power without frequent access to AC power, you might want to consider leaving this feature on, as it should preserve your workflow in the event the battery cannot sustain the system and it needs to shut down.
- Shut down the system
Most of these attack options for computers rely on active memory, which can easily be managed simply by shutting the system down when not in use. While system sleep has been a convenient feature for maintaining workflow and still is the best option for doing so, Apple's Autosave and Resume features in OS X allow the system to restore one's workflow nearly to how it was left off in the event of a power outage or shutdown. As such it is another option you can use to maintain your workflow while keeping your system more secure. Do keep in mind that this alone will not prevent access to the system's sleepimage file that is stored on the hard drive, but if coupled with either disabling this file as described above or securing access to it with FileVault, then shutting down is an easy way to keep your system safe.
Overall, a new Mac in its default configuration is susceptible to snooping from kits like Passware, but you can effectively block such attacks using combinations of the above techniques. They should not have much impact (if any) on your computer's performance, and only on rare occurrences will require a few extra steps to access a needed resource or two.