The Passware toolkit enables live target memory acquisition over FireWire and subsequent recovery of FileVault encryption keys.
“Computer forensics can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk. The full process takes no more than 40 minutes – regardless of the length or complexity of the password”, the company said in a release.
The toolkit is designed for computer forensics firms, law enforcement organizations, government agencies, and private investigators that need to break the FileVault encryption platform for legal reasons.
However, as Edy Almer, vice president of business development at Wave Systems, noted, the toolkit can be purchased by anyone willing to pay the $995 price tag, including criminals.
“The toolkit performs a FireWire attack, which is not a particularly new threat to computers equipped with a FireWire interface. The interface was specifically designed to grant direct memory access for high speed video transfers. It didn’t take long for hackers to recognize FireWire ports had no authentication or OS control once a device is connected, which meant the ports made internal memory susceptible to external attacks”, Almer said.
“Passware’s toolkit attack on encryption keys can achieve the same result as a ‘cold boot’ attack, without the need to dismantle the computer or chill the memory. The attack delivers in minutes what would take a brute force attack on the AES256 encryption algorithm thousands of years to achieve”, he explained.