With the debug alternative enabled in File-Vault, passwords are saved in simple text in a log file exterior the encrypted region, meaning that anybody with access to the disk can read the file containing the password and utilize it to log into the encrypted area of the diskette.
While File-Vault 2 which encrypts the whole content of the hard drive is fine, the bug affects anybody who upgraded to Lion but carried on using the older previous version of File-Vault.
With Mac OS X version 10-7-3 released at the start of February, this means that more than 2 months’ data could be open for all to observe.
The flaw was reported on Friday by safety canvasser David Emery, who says that it’s even worse than it appears.
The log in question can also be understand by booting the mechanism into fire-wire disk form and reading it by opening the drive as a disk or by booting the new-with-LION revival partition and using the available super-user shell to mount the main file system divider and read the file.
This would consent to someone to break into encrypted partitions on machines they did not have any thought of any login passwords for.
It’s probable to disable File-Vault and turn on File-Vault 2, after which a change of password should reinstate security – as long as the original password has been totally erased.
This proves a very significant tip when it comes to encryption. While choosing a safe algorithm is significant, it’s rarely the most important issue. How products amass, supervise and secure keys and passwords is the most ordinary failure point in assuring data fortification, says Chester Wisniewski of security firm Sophos.
This event demonstrates the importance of completion over technical arguments like key strength and password difficulty. That Apple promises AES encryption doesn’t mean anything if it chooses to store your password in an easy to get to log file.