This is a guest post by Jonathan Grynspan. I followed his reporting of this issue on Twitter with interest. The basic issue is that, with the default settings, if your Mac is asleep or booted up and logged out, anyone who has your Apple ID and password can access your encrypted FileVault 2 files. This is true even if you have not shared your FileVault recovery key with Apple. Far more than 140 characters were needed to get the full picture, so I encouraged Jonathan to blog about it. As he does not currently have a blog, we decided to post his report here. —Michael
I’m Jonathan Grynspan. I write code. I’m a little wordy. This is gonna be a long one, ’cause of the wordiness.
I, like a number of other security-minded Mac users, turned on FileVault 2 before my new MacBook Air was even out of the box. Whole-drive encryption? Damn skippy! Turns out however that, as of Mountain Lion, FileVault 2 has a 50/50 chance of being completely broken on your system. There’s a backdoor that appears to have been accidentally built in by Apple, and it can be used by an attacker to gain root access on your system.
Mac OS X v10.7 Lion and later include a feature intended to help users with oddly spotty memory. If you’ve forgotten your login password, but remember your Apple ID password, you can reset your login password based off that. (If alarm bells are going off in your head right now, they might be because of Mat Honan’s recent bad luck involving his iCloud account, which doubles as an Apple ID.) In order to use this feature, you must enable it in System Preferences → Users & Groups. That looks like this:
Worryingly, this was enabled by default on my MacBook Air as soon as I upgraded from the copy of Lion it shipped with. I did not enable this feature.
OS X also includes a feature called FileVault 2, as I previously mentioned, that encrypts your entire hard drive and requires your login password to decrypt it. When FileVault 2 is enabled, resetting your password by entering your Apple ID is intended to be disabled (as suggested by the FileVault 2 tech note linked above.) Problem is, it’s not disabled—the option is just hidden from view in System Preferences. As I found out a few days ago, if the setting is enabled when you encrypt your drive, the checkbox disappears and you cannot disable it1. The only way to turn off Apple ID–based password recovery is to decrypt your drive, change the setting, and re-encrypt. That process can take a very long time depending on the size of your drive and whether it’s a hard disk or an SSD. The 1 TB drive on my iMac takes several hours to process completely.
My iMac, though protected with FileVault 2, can be accessed fully (including root access via sudo using my login password) by an attacker who knows my Apple ID password, almost completely defeating FileVault 2. I should note that, to my knowledge, this issue requires physical access to your Mac2. That said, FileVault 2 is explicitly designed to protect against attacks even when the user has physical access; whole-drive encryption is kind of pointless otherwise. But it gets worse. An Apple employee might never touch your keyboard, but Apple ID–based password recovery as designed may allow a malicious Apple employee to gain access—there’s no guarantee or promise from Apple that turning off the feature in the OS UI actually disables the logic involved.
I don’t want to be alarmist. I believe this was an honest oversight by Apple’s engineers, and one that can be corrected in a point release. I’m a loyal Apple user and have been for years. I make a living writing code that only runs on Apple products. But Apple’s boilerplate response when I reported this backdoor was worrisome at best:
Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security issue very seriously. After examining your report we do not see any actual security implications. [emphasis mine]
My Apple ID controls much of my data—especially the data I associate with my dealings with Apple, Inc. My login password, on the other hand, protects via FileVault 2’s encryption: every photo of my loved ones that I’ve ever taken; identifying information including my address, phone number, Social Insurance Number, and passport number; all my banking records and tax returns; my medical records…this is personal stuff, not work stuff. I don’t want somebody to be able to decrypt my drive and see it because they have an unrelated Internet-facing password.
Worse, what if I had incriminating evidence on my hard drive (e.g. some movie torrents, or photos of me and my friends and eleven herbs and spices)? A government (foreign or domestic) could serve Apple with a warrant and unlock my encrypted drive for me and I wouldn’t be able to stop them—I don’t even know if turning off the feature in System Preferences would actually do any good! Kim Dotcom would go apeshit over this backdoor.
If the system is coming up from a cold boot, the option to use your Apple ID is not present, presumably because the system can’t load network drivers until it has decrypted them. You’re safe at that point. But once the system is up, if you log out or turn on the screen saver or close the lid or somehow wind up at the login screen, the option appears and can be used. When the setting is enabled, the password hint popup looks like this:
And the attacker can use that arrow button to gain access very quickly. There is therefore a workaround, but it requires vigilance. Whenever you leave your computer for more than a few seconds, shut it down entirely. Don’t let it go to the login screen unless it’s the one presented by FileVault 2 at boot time. And don’t let your Mac out of your sight.
My thanks to Michael for giving me a soapbox on which to stand here.
2 This isn’t entirely true. I took this screenshot using Screen Sharing (since I can’t exactly save a screenshot to the desktop or clipboard before I’ve logged in.) Having done so, I realized that enabling Screen Sharing may expose an even bigger hole, but I don’t know for certain. I have my doubts about command-line access (e.g. SSH) too. ↩