I’ve successfully created a Python script which can extract username and login password from a mac running OS X tiger (going to test with leopard asap) via firewire using a linux laptop, based on great paper Hit By A Bus: Physical Access Attacks with Firewire by Adam Boileau. Once the attackers Linux laptop is connected to target machine via firewire, the password can be automaticly extracted from memory via firewire in about 10 seconds.
This hack exploits the fact that OS X keeps username and password in memory, even after a macbook is resumed from hibernation. Usin this technique a cracker can open the screen of a suspended macbook, wait until the unlock screen is displayed, plugin the linux laptop used for the attack to the firewire bus and run the password download script which extracs the password in under ten seconds.
The username and password is located in a memory page which can be identified by multiple static byte sequences. One of these sequences is a string dsAttrTypeStandard:UserShell which is located 1448 bytes from the start of the memory page. The attacker can simply iterate over every memory page and to look if this string exists 1448 bytes from the start of the memory page being iterated. Once this memory page has been identified and downloaded the script searches for string username inside this page. The actual username is a null ending string which starts at starting_offset_of_username_string + 12 bytes. The password can be found by searching string password and retrieving the actual password at starting_offset_of_password_string + 12 bytes.
This attack is very dangerous because it allows the attacker to gain access to a mac which is turned of into hibernation or suspend-to-disk mode. As Maximillian Dornseif presented in his keynote 0wned by an iPod the attacker can install Linux to a normal iPod and setup needed programs to implement a firewire memory attack. This means that the attacker needs just to carry an ipod with him, which is much less prone to attract security aware personels. Just wait for a goot moment, insert an iPod from your pocket into the target mac and login within a few seconds with the password you just extracted from the target machine memory.
EDIT: Some people have asked if similar attacks works in other operating systems. The answer is yes. I can also bypass a Windows XP SP2 login screen, just for an example. This was already proven by Adam Boileau last year (check out the link on the first chapter)
Quite interesting, seems to provide a nice and easy way to hack into a macbook in a short moment.
Does running with “secure memory” turned on eliminate this attack?
No – there is no such thing as secure memory – only secure swap space.
Discussion of this sort of Firewire DMA “feature” dates back years. I read a posting that Firewire DMA access was disabled on machines where an open firmware password was in use. I wonder if that still applies, and how it affects use of Firewire.
http://rentzsch.com/macosx/securingFirewire
Would it be possible for someone to acquire a copy of your Python script?