Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Forensics vendor warns Mac OS X FileVault vulnerable to decryption

Passware, a vendor of forensics tools for recovering data for law enforcement, has issued a warning that its forensics tools can bypass the security of FileVault disk encryption in Mac OS X if the computer is left powered on, recovering decryption keys from memory.

While catering to law enforcement, the company issued a warning to home users "of the vulnerabilities of Mac encryption solutions and advises users to shut down their computers especially when working with confidential data."

When a system using full disk encryption is powered on, even if the disk is later left encrypted its contents can reportedly be recovered by analyzing the data stored in memory, which Passware notes includes the keys to decrypt FileVault.

The company says its process for decrypting a FileVault disk "takes no more than 40 minutes – regardless of the length or complexity of the password."

Passware's president Dmitry Sumin stated in a release that "live memory analysis opens up great possibilities to password recovery and decryption. Every user should be aware that even full disk encryption is insecure while the data rests in computer memory."

The company earlier explained that the security risk is easy to overcome by simply turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered.

Sumin wrote last summer, "I am a Mac user myself, but it's important to understand the limitations of your computer's security, even if you are not a computer forensics expert. If data stored is confidential, it is important to ensure physical security of the computer. One might also consider using additional encryption software."

Obtaining Mac passwords costs more

In addition to Mac OS X Lion's FileVault, the company says its forensics tools can decrypt Microsoft's Windows 7 BitLocker and the cross platform TrueCrypt full disk encryption solution, indicating that the problem isn't unique to Apple.

The company, based in Moscow Russia with offices in Mountain View, California, sells its Passware Kit Forensic for $995 with a year's worth of updates. It says the product can recover hashed passwords with Rainbow Tables, extract passwords from the Mac Keychain, and build a password list from words detected in computer memory to perform a Dictionary attack.

The company describes the product as being "the first and only commercial software that decrypts BitLocker and TrueCrypt hard disks, and instantly recovers or bypasses Mac and Windows login passwords of seized computers."

The company also sells a $39 tool to "quickly and easily reset Windows login passwords in a matter of minutes," as well as a $79 package that "recovers passwords for Microsoft Office files, Acrobat documents, email accounts, network connections, Zip and Rar archives and local Windows Administrator" accounts on workstations and servers running Windows 7/vista/SP/2000/NT.