The researchers found that FileVault 2 on its own is relatively secure compared to competing encryption techniques. Assuming a strong password, it would take up to 230 seconds, or 34 years to break into a FileVault encrypted volume with a brute force attack.
However, the security of the encrypted volume is only as good as the password used to protect it. Assuming a six character common word password, FileVault 2 can be breached in as little as 5.6 hours.
In addition to testing FileVault’s efficacy, the researchers successfully created a new method of decrypting a FileVault-encrypted volume without employing Apple’s proprietary decryption method. This new method requires access to the user’s password or FileVault recovery token, and so does not by itself pose a security threat, but it may lay the groundwork for further deconstruction of Apple’s encryption method and could eventually lead to a FileVault security breach.
The researchers were able to circumvent FileVault’s own decryption scheme due to the fact that, in order for the volume to be decrypted, some information on the disk must remain separate from the encrypted volume to serve as the key for unlocking the data. This separate key is unlocked with a user password and then goes on to unlock the volume.
Using an algorithm to derive the decryption key, the researchers successfully decrypted the volume without using Apple’s FileVault process. As mentioned above, the user password or FileVault recovery password (which is generated when a user activates FileVault for the first time) is still required to complete the decryption
Now that researchers no longer need Apple’s FileVault decryption scheme, however, FileVault encrypted volumes can be accessed from other computers—such as those of a hacker or forensic scientist—and potentially decrypted. Further, the method developed here may lead to advancements in which the user password is not needed at all for decryption.
This recent FileVault research is separate from the work done earlier this year by password recovery company Passware. Passware was able to break FileVault’s security by performing an analysis of a Mac via a FireWire or Thunderbolt connection and obtaining the decryption keys from system memory.
While the Passware breach was important for the security of all FileVault users, it was only possible if the attacker had physical access to the Mac and the user had already logged in. From there the decryption key, which is stored in memory so that it can decrypt files as needed, could be copied, a scenario that is unlikely for those Mac users who have automatic login disabled.
FileVault 2 has proven itself to be safer and more effective than its predecessor, which only encrypted the user’s home folder, but no encryption can remain completely secure indefinitely.
Teaser graphic via Shutterstock.