2

I've recently sent my MacBook (running on Catalina) to repair by a licensed Apple service provider. The whole thing was simple (replacing one key cap) and took about 5 minutes or so. But I forgot to shut down the MacBook and only put it on lock screen. I have FileVault enabled.

Is it possible for my data to be breached in that scenario? My understanding is that FileVault only protects your data by requiring you to enter your login password when you start up the drive. It sounds like once you have logged into the computer (even if it is now on lock screen), the data is decrypted and vulnerable to unauthorized access?

Thanks in advance!

Jason Ye
  • 23
  • 2
  • Is it possible? Yes. One example of a device that can be used to compromise a locked device is [PoisonTap](https://samy.pl/poisontap/). It requires physical access but allows you to install a backdoor webshell on the machine if it has a browser opened. The chance that this happened though? Slim. I wouldn't be overly concerned about this as it's quite unlikely outside of a targeted scenario. – ExecutionByFork Dec 04 '19 at 22:49

2 Answers2

2

I don't have detailed information on FileVault, but all FDE (Full Disk Encryption) schemes perform best when computer is cold, namely shut down completely.

FileVault suffers the same weaknesses as other FDE schemes such as MS BitLocker and LUKS: while they secret key is stored on RAM an attacker with appropriate tooling may reset the CPU and dump RAM contents before the content vanishes. This is no simple thing to do, especially when hardware is compact enough. But is very well documented as a weakness of FDE.

Please note: data is always stored encrypted on disk. The data is not decrypted after boot. FDE decrypts only the data it needs every time, and decrypts that into RAM. Swapping a spinning disk has no effect with regards to security.

You said tech took 5 minutes to replace the key. I don't have record of how much time it takes to perform the hot boot attack, but data being volatile in RAM is matter of time.

I would be very confident that either:

  • The tech did just his job to replace the hardware keyboard honestly
  • In the back of the tech shop there were two techs paid by some government agency: one actually replaced you keyboard, the other was working to spoof national-security secrets (i.e. I am currently responding to a diplomat, a prosecuted national hero, a wanted terrorist or a mafia...) within 5 minutes of your arrival. They knew you were coming to that shop, they broke your keyboard on purpose to have you there, that day, that time. Mr. Bond would be a little surprised.

In short: I am confident your data is safe. Bomb me if I am wrong

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • Thanks a lot for the detailed answer. But correct me if I am wrong. Although they only had it for 5 minutes, it is possible within that timeframe to complete the cold boot attack, obtain my encryption key from RAM and access the computer, right? From what I have read, if you have the appropriate tools (eg USB drive with a simple operating system), you can gain access within a few minutes. But your response does make me feel more reassured, thanks a lot! – Jason Ye Dec 04 '19 at 12:30
  • In practice, you have short time to conduct a hot boot attack. Note: I am currently confused with wording. I know "cold boot attack" as reference, but really in this case, in my personal opinion, it should be worded "hot" boot attack because the RAM is still "hot". We are still talking about the same thing – usr-local-ΕΨΗΕΛΩΝ Dec 04 '19 at 12:36
  • My understanding is that it is 'cold boot attack' because you are forcing the shutdown of the computer via the power button rather than via the usual way of going 'apple icon → shut down'. – Jason Ye Dec 04 '19 at 12:45
0

A lock screen only protects direct access with keyboard. If some attacker can get access some other way it has access to the still unencrypted data. One attack might be for example by plugging in an USB device either exploits a bug in a kernel (for example by using a corrupt file system) or emulating a network card. For more see BAD USB attack possible while screen is locked?.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424