Apple has egg on its face with High Sierra blunder!

[timb]

All Apple PCs use Intel hardware. This story (link below) has not gotten the media attention one would think it would get. But that doesn't mean its not important.

http://www.cs.vu.nl/~ast/intel/

And the Intel Management Engine decrypts the drive how exactly?

The same way any user does but with three levels higher permissions.

Care to explain that further? FileVault isn’t like a BIOS password on a PC. Aside from the UEFI partition and a small amount of code to boot the system, the rest of the drive is stored in an encrypted disk image. A master key or valid username and password are required to un-encrypt and mount the volume. The IME would have neither. (And it wouldn’t know how to do it to begin with, since the encryption is all software based and designed by Apple, not Intel.)

[cdev]

All Apple PCs use Intel hardware. This story (link below) has not gotten the media attention one would think it would get. But that doesn't mean its not important.

http://www.cs.vu.nl/~ast/intel/

And the Intel Management Engine decrypts the drive how exactly?

The same way any user does but with three levels higher permissions.

Care to explain that further? FileVault isn’t like a BIOS password on a PC. Aside from the UEFI partition and a small amount of code to boot the system, the rest of the drive is stored in an encrypted disk image. A master key or valid username and password are required to un-encrypt and mount the volume. The IME would have neither. (And it wouldn’t know how to do it to begin with, since the encryption is all software based and designed by Apple, not Intel.)

(Also, I’m pretty sure access to the IME is disabled on Apple systems. I know ethernet/WiFi access isn’t turned on, which means no remote KVM access.)

[timb]

Right, UEFI and SMM can be exploited, but that’s nothing new and applies equally well to all PCs, not just Apple systems. (This problem has been around a lot longer than UEFI. Viruses that re-flash a PC’s BIOS have been around since at least 1999.)

My point was that FileVault closes an attack vector otherwise open on non-encrypted systems when locked.

[raptor1956]

The real surprise is that it took so long (two months) for someone to notice and make public.

A lot more people probably noticed, but just kept it secret.

Yes, what are the odds that the NSA and other signals intelligence outfits around the world were aware and said nothing?


Brina

[bd139]

High.

FireWire and lightning have DMA capabilities. I’m not sure how exploitable it is but you could read disk buffers which are not encrypted directly from RAM. When you suspend a Mac I.e. shut the lid it goes into light sleep not hibernate so if you open the lid then all disk buffers that have been read are vulnerable.

Also I don’t think macs use a HSM so the state of the machine is likely in that RAM somewhere, possibly enough info to get that FileVault key.

And then there’s the ME processor which can be activated and has better than ring 0 access.

You can’t win either way unless you control the entire hardware end to end which Apple do with iOS.

The whole situation sucks.