Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on August 29th, 2013 at 4:38 PM EST
I’ve said it before, and I’m sure I’ll say it again more than once: someone with physical access to your Mac can do just about anything they like. There are, of course, limitations to that, but this topic comes up now because the creators of Metasploit have given the Mac community a bit of a poke. By adding it to their penetration testing framework, they have reminded us of a 5-month-old bug in the system that could give an attacker unrestricted access to your system.
There are some conditions that have to be satisfied, of course. First, the attacker must have physical access to your computer (or remote shell access that they have already been granted somehow). Second, you must have successfully run a “sudo” command in the Terminal at some point in time from an admin user account. (One time is enough, and many people will forget about running that arcane Terminal command they found on some web site a while ago.) Third, that admin user must be logged on, or the attacker must be able to get logged on as that user (because of automatic login, or by knowing or guessing the password, for example).
If these conditions are satisfied, it is truly a trivial matter for the attacker to get full sudo access, without a password. This gives the attacker “root” permissions, meaning that they can do anything they like, including stealing data, installing back doors, modifying the system, etc. With root permissions, all files on the hard drive are fully accessible and new files can be created anywhere.
Obviously, this is bad. Obviously, this is a bug that should have been squashed months ago. What’s not so obvious, perhaps, is how to fix the problem. The bug itself can only be addressed by Apple, and there’s no really good way for the average user to fix the issue themselves. Perhaps the most important thing is to be sure that your admin user account has a strong password, and that it’s not set to log in automatically. (In Mountain Lion, open System Preferences -> Users & Groups and click the Login Options button. Be sure Automatic Login is set to Off.)
This is not a reliable solution, since an attacker with physical access can still reset your password and gain access that way. The change would be noticeable, since you would no longer be able to log in with your usual password, but that may be something that many would shrug off as an odd computer foible and forget about it. To prevent this from happening, you could set a firmware password on your computer, which will prevent it from starting up from any other startup disk (including the built-in recovery disk) without that password. That will prevent password resets, among other things (such as unrestricted access to your files and folders gained by booting from a system on an external hard drive, which could give almost equivalent access without relying on this particular bug).
Unfortunately, this still isn’t a bulletproof solution. For those who may fall victim to particularly tenacious hackers, you need to protect against the possibility that the hard drive could be removed and placed in another computer – one with no firmware password – and the reset performed there. (Alternately, the drive could be connected as an external drive and full access to the file structure could, again, be gained that way.) The only way to prevent this sort of thing is to apply some kind of encryption, such as FileVault, to your hard drive. (This will also prevent user account password resets.) As long as your entire hard drive is encrypted, and the admin user account cannot be accessed, no amount of monkey business will give an attacker access to your data or your system.
So, in short, those concerned about such things must use strong passwords, with no automatic login, enable a firmware password and use FileVault to encrypt the whole drive. That should make you pretty safe… provided you haven’t captured the interest of someone sophisticated enough to modify your computer’s hardware for malicious purposes! In a case like that, you need to prevent physical access at all costs, by keeping the machine with you or locked up and inaccessible at all times, and nothing short of that will suffice.