How in the world is this even possible, you might ask? Well, in recent versions of OS X and macOS, Mac computers provide protections against Direct Memory Access (DMA) once the system has been fully booted. However, this same DMA protection is not afforded to systems that have been turned on, but have not yet completed the boot process.
Couple that with the fact that FileVault stores its password in clear text makes for a pretty easy way to hack into a system if you have direct physical access to Mac hardware. In this case, researchers were able to construct a $300 device that connects to a Mac via Thunderbolt.
“Once the mac is rebooted the DMA protections that macOS previously enabled are dropped,” writes Ulf Frisk. “The memory contents, including the password, is still there though.” According to Frisk, attackers only have a window of a few seconds to successfully compromise the system upon reboot, but being in the right place at the right time has potentially huge benefits for nefarious parties.
“Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the Mac is completely shut down,” Frisk adds. “If the Mac is sleeping it is still vulnerable.”
Apple was first contacted about the issue on August 15th, and the very next day confirmed the vulnerability, asking that it not be disclosed while a fix was put into place. Thankfully, Apple fully patched the exploit with the release of macOS 10.12.2 earlier this week.
Apple’s response to being notified about a potential lapse in security is markedly different from Netgear’s approach, as we found out over the weekend. The company never responded to a reported remote exploit in its router firmware for four months, and only took action (with beta firmware for select affected routers) after the exploit was made public.