Security: 1Password vs. FireWire Password Hole

daraddishman

Just read http://finance.yahoo.com/news/All-It-Takes-Is-A-Firewire-siliconalley-2728780612.html?x=0&.v=1



Seems with some software and a firewire cable you can zip past password locks on a Mac and pull info including passwords out of a Mac.



Does 1Password help prevent this?

jpgoldberg

Hi daraddishman.



Welcome to the forums.



1Password does not prevent the Firewire exploit into the OS X kernel. Only an update from Apple will be able to fix that. (Well, maybe a third party kernel extension might be able to, but I doubt it).



But 1Password helps in another way. The particular attack gets at the users' login password and OS X keychain password (often the same thing.) This means that other passwords which are stored in the OS X keychain can be stolen. If you use 1Password you are less likely to have website password data stored in the OS X login keychain. But it would be going too far to suggest that 1Password protects you in these cases.



Note that your 1Password data are not at risk at all by this unless you store your 1Password master password in your login keychain. (That is, if you've set "Never prompt for master password")



An attacker needs physical access to a Mac running Lion with a Firewire port. And the victim must be logged in at the time. That combination places some practical limits on attacks agains the typical user. When desktop computers are stolen they are almost always powered down before the thief gets a change to play with it. This means that the victim will no longer be logged in when the machine is powered up again.



So most vulnerable are stolen MacBook Pros or those MacBooks with Firewire where the user was logged in when the machine was stolen. Also vulnerable would be those in situations, such as offices, where someone might try to gain information from a sleeping Mac without actually stealing the machine.



The general security advice, to turn off automatic Login, is good advice anyway. Here is what my [i]System Preferences > Security > General[/i] pane looks like on my MacBook Pro. (my desktop is still running Snow Leopard so that I can help people who haven't yet made the move.)



[img]http://i.agilebits.com/jg/Disable-auto-login-1-20110727-172312.png[/img]





This is a serious problem with OS X. Given how Firewire interacts with the system, I'm actually surprised that it took so long for a bug of this nature to turn up. (I can't wait for Thunderbolt to become more widespread.) I expect that Apple will have a fix for this fairly soon.



Cheers,



-j

daraddishman

Hey, awesome! Thanks for the speedy and full reply.

[Deleted User]

Hey daraddishman,



First, welcome to the Forums!



Second, on behalf of Jeff, you are very welcome! You've heard from AgileBits' chief security guru himself, and I could never hope to add more!



Cheers!



Brandt