|
Vulnerability FWB Affected Mac OS Description Following is based on L0phT Security Advisory by Space Rogue. FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive volumes. This password has to be entered when the hard disk driver loads in order to allow the volume to mount. Failure to enter this password prevents the volume from mounting and therefore prevents access to the data on the device. By forcibly replacing the FWB driver with a different driver it is possible to access the data on the password protected volume without knowing the password. Most Macintosh hard drive formatting utilities will allow you to replace the FWB passworded driver. However they will also make any data on the drive unreadable without advanced data recovery software (Norton Volume Recover etc.). If the FWB driver is replaced with La Cie Silverlining then it is possible to bypass the password and still access the data. L0pht testing procedure utilized a Quadra 610 24/230, Mac OS 8.0, FWB Hard Disk Tool Kit 2.5, La Cie Silverlining 5.8.3, and an External 160MB SCSI IBM H3171-S2 hard drive. L0pht test drive was first low level formatted with FWB and a read/write password was assigned. Then about 10MB of various files where copied onto it as our test data. The machine was then powered down and rebooted. Upon boot up the system prompted us to enter the password. This enabled the system to mount the drive. L0pht then launched Silverlining and updated the driver. Silverlining did not complain about doing this except to give us the standard dire warnings about possible data loss. Again we powered down and rebooted. This time no password was asked for and the volume mounted successfully with all of its data intact. The previous steps where repeated ten times with no discernible differences. L0pht tried various other hard drive formatting utilities in addition to Silverlining such as SCSI Director Pro, Anubis and others. While some of these other utilities where able to replace the FWB driver access to the data was lost. Silverlining is unique in that attempts to preserve data integrity while replacing the driver, other utilities do not take data preservation into account. L0pht would like to acknowledge J. Claymore who first mentioned this problem some time ago which made this advisory possible. Solution Users should be aware that using a driver level password to protect data is not always a guarantee that your data is safe from prying eyes. The previous example can be accomplished in under five minutes with a medium sized drive and only requires that the malicious user have a bootable floppy disk with Silverlining on it. Ten minutes of unsupervised access to the target machine is all that is required. FWB gives users six options when applying a password to a volume; None, Read, Read/Write, Encryption Level 1, Encryption Level 2, and Encryption Level 3. Using one of the encryption options would possibly allow for greater security. The disadvantage is that using one of the encryption options greatly slows down the speed at which your machine can read and write data as it does its encryption/decryption on the fly. (It is not the purpose of this advisory to determine if FWBs encryption implementation is any better or worse than its password implementation). Numerous hard drive formatting utilities allow the setting of a password similar to FWB. Unfortunately L0pht do not have the time to test them all. It should therefore not be assumed that all other driver level passwords are secure.