Security News

FileVault Bug Exposes User Passwords

Posted on May 8th, 2012 by

If you use Apple’s FileVault to encrypt your Mac’s hard drive, you should be careful. Security researcher David Emery has discovered a bug in Mac OS X 10.7.3 that may expose your FileVault password. According to Emery, “Someone, for some unknown reason, turned on a debug switch” in Mac OS X 10.7.3, which has the effect of writing a log containing your FileVault password in plain text form.

However, this only seems to apply to users who had FileVault turned on before the release of OS X Lion. If you only turned on FileVault in Lion, then you are safe.

To be fair, it’s not entirely simple for someone to break into a Mac by accessing this file. Emery says that:

the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.

While that may seem like gibberish to many readers, you can be sure that plenty of malicious users know exactly what that means. And, as Emil Protalinski of ZDnet points out, “it would be possible for cyber criminals to write very specific malware that knows where to look on a targeted system.”

If you are using FileVault, and had been using it prior to Lion, here’s what you can do to protect your Mac and your files.

    1. First, back up your Mac to protect against any possible data loss.
    2. Next, open System Preferences from the Apple menu and click on the Security & Privacy icon. Click on the padlock and enter your administrator’s password to be able to make changes. (You may see a dialog when opening this preference page saying that “You are using an old version of FileVault.” If you do, click on Turn Off Legacy FileVault and skip step 3.)

  1. Click on Turn Off FileVault to turn off FileVault.
  2. Click on Turn On FileVault to turn FileVault on again. A dialog will display a “recovery key,” and offer to store this with Apple. This is a good idea, since if you forget your password you won’t be able to access any of your files. Follow the instructions to do this. You will then need to restart your Mac, and the encryption process will take some time, depending on how big your hard disk is.
  3. The password used for FileVault is the same as your user account password. Make sure to use a different password from the one you used originally for FileVault. To change this, go to the Users & Groups pane in System Preferences and click on your account name. Click on Change Password and follow the instructions to set a new password.

If you perform the above, your new password will be used for FileVault and the text file that is written to your disk will contain the old password; make sure they are different, really different. Don’t just change it from, say, “MyPet” to “MyPet2;” use a password that is in no way related to the previous one.

For more information about FileVault, read Apple’s technical note.