f l a m e . o r g

organized flames

Security vulnerability in Apple OSX 10.8.x

Posted on March 19, 2013

I have discovered a security vulnerability in Apple’s full disk encryption which can cause a disk to appear to be encrypted, but it is not. From the Apple provided GUI tools, it appears to be encrypted, but can be mounted from the command line without any passphrase, and all data is available unencrypted.

Using only standard GUI tools through the Finder, we see:

  • Get Info reports the disk as “journaled, encrypted”
  • right-clicking on the disk gives the option to “decrypt disk”
  • upon boot or plugging an external disk in, the GUI prompts for the passphrase to unlock the disk.

However, using the diskutil command line tool, it can be mounted without using a passphrase, on any computer, including one where the passphrase was never typed. All data on this disk is available, without a password, because it was not actually encrypted.

To detect this situation, run the command line tool and look at the output:

Broken, insecure output

% diskutil coreStorage list

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group EF9AE5EC-6D6C-4F86-98C0-ECC8EAAD3934
    =========================================================
    Name:         Griffin
    Status:       Online
    Size:         1499957936128 B (1.5 TB)
    Free Space:   16777216 B (16.8 MB)
    |
    +-< Physical Volume CFD269FC-E5DC-47E6-AA4C-BF2EB0A0FBF4
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk2s2
    |   Status:   Online
    |   Size:     1499957936128 B (1.5 TB)
    |
    +-> Logical Volume Family 4FE1C33E-206C-4416-83F0-5DA9FA08365E
        ----------------------------------------------------------
        Encryption Status:       Locked
        Encryption Type:         AES-XTS
        Conversion Status:       Pending
        Conversion Direction:    -none-
        Has Encrypted Extents:   No
        Fully Secure:            No
        Passphrase Required:     Yes
        |
        +-> Logical Volume 9298D2EB-8BB6-45A6-B5F0-3C830A692A9D
            ---------------------------------------------------
            Disk:               disk4
            Status:             Online
            Size (Total):       1499622387712 B (1.5 TB)
            Size (Converted):   -none-
            Revertible:         Yes (no decryption required)
            LV Name:            Griffin
            Volume Name:        Griffin
            Content Hint:       Apple_HFS

Normal, secure output

This is what you should expect to see if a disk is fully encrypted. Partially encrypted disks may show different results, but the “Conversion Direction” should not be “-none-” in that case, and “Has Encrypted Extents” should be “Yes” even when “Fully Secure” is not yet “Yes.”

% diskutil coreStorage list

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 20945FFB-CB42-4EFC-AB93-C0DF97596343
    =========================================================
    Name:         Lion
    Status:       Online
    Size:         437110194176 B (437.1 GB)
    Free Space:   16777216 B (16.8 MB)
    |
    +-< Physical Volume 98B2B76D-FDE2-4286-A0AC-C938849D4506
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk0s2
    |   Status:   Online
    |   Size:     437110194176 B (437.1 GB)
    |
    +-> Logical Volume Family B3B6C8CD-73C1-42BD-8F86-D5262A9446E1
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume FB3EC7CE-C78F-4CF3-94D9-B498CACB734D
            ---------------------------------------------------
            Disk:               disk1
            Status:             Online
            Size (Total):       436774645760 B (436.8 GB)
            Size (Converted):   -none-
            Revertible:         Yes (unlock and decryption required)
            LV Name:            Lion
            Volume Name:        Lion
            Content Hint:       Apple_HFS

Apple?

*tap tap* Is this thing on?

I have attempted to report this issue to Apple through various means, but it has been difficult to reach any level of communication, let alone bidirectional communication. I am not comfortable with Apple’s “send us the details, and we’ll handle it from there” response with no apparent feedback to the reporter. I would have expected a little more proactive response from Apple that did not involve knowing someone who works at the right place, or spending 3 hours on the phone just to reach an ineffective conclusion.

That said, Apple has been notified about this issue, but due to my low expectations that Apple is going to follow through in a timely manner, and that I feel this is more of a data safety issue, and not likely to be remotely exploitable. It is most likely caused by a software defect, and should be hard to exploit.

However, I also feel others might want to check their disks, or find someone who can check them. Just seems like the prudent thing to do.

Tags: apple and security