MacLockPick: extract clear-text passwords from a sleeping Mac by plugging in a USB dongle.

The solution is based on a USB Flash drive that can be inserted into a suspect's Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect's critical information with as little interaction or trace as possible.

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect's contacts, activities and history. Once awakened a Mac will return it's keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.

MacLockPick is not for sale to the general public. Purchasers will be required to provide proof that they are a licensed law enforcement professional. Users are required to ensure that the use of this technology is legal on federal, state, and local level.

Tags: , , ,

23 Responses:

  1. phoenixredux says:

    And can we expect that there will soon be an anti-lockpicking fix for the Macs?

    It's a good thing I run Windows systems that aren't prone to this kind of invasive hacking.

  2. magicpacket says:

    The investigation process is a simple 4-step procedure:

    MacLockPick inserted into a suspect's Macintosh computer.

    * Insert the MacLockPick flash drive into your suspect's computer
    * Double Click on the MacLockPick Application
    * Eject the MacLockPick flash drive from your suspect's computer
    * Return to the lab and investigate the data acquired and stored on the MacLockPick flash drive using the included program "KeyLog Reader". KeyLog Reader is shipped for Mac OS X, Microsoft Windows, and Linux.

    (emphasis mine)

    If you need to run their app by hand, that doesn't help you bypass a locked screensaver, so it's really just a data-gathering program (with some smarts to extract passwords from the keychain). Not much of a "MacLockPick" if it doesn't bypass a lock.

    It's possible they're just leaving out the part about bypassing the lock, but in that case, why wouldn't the autorun bit launch the main app?

    • inhumandecency says:

      Yeah, I saw this too. I can't figure out why they make such a big deal of the fact that keychains are unsecured while the computer is sleeping if you have to wake it up to extract the data. Perhaps the USB drive is somehow able to intervene and keep the keychain data from being resecured while the computer wakes up? And does it also circumvent the option to require a password upon awakening? If not, it sounds like the device is a total scam...

      I'm also suspicious of their claim that their software can grab the current user's login password. If I understand correctly, that password should never be stored *anywhere* in cleartext.

    • jwz says:

      Yeah, that's weird. I didn't read it very carefully. It starts off sounding like, "plug this into a sleeping laptop and it sucks the passwords out". But if you actually have to run an app on the desktop of the logged-in user, that's a whole lot less impressive.

  3. netik says:

    ooof, thanks.

    I just reconfigured my laptop's screensaver to require a password when I'm away. *paranoia*

    • sol3 says:

      Even more than that, what you want to do is open up keychain access - go into the edit menu and select "Change settings for keychain foobar" and then turn on the "lock when sleeping" options. If you really want to be paranoid, you can also have the keychain lock itself after X minutes of inactivity.

    • erg says:

      After reading an article about this on gizmag, I googled "Mac OS X locking system settings from usb drive" just to find out how to lock down not just the keychain, but also the preferences and such. It says it only works if someone has left the defaults alone, so it should be easy to defeat, perhaps more completely, with your hackintosh.

  4. andr00 says:

    MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.

    I guess this is a way of positioning it to sound like an advantage, instead of saying, "If the system is actually shutdown, you're not going to be able to get into it."

    • jwz says:

      Yeah, but I don't think any Mac users actually shut down their laptops; they sleep well. And when the battery dies, they auto-sleep.

  5. djverablue says:

    this makes me happy that i have a PC for once...

    • duskwuff says:

      You say that as if you believe similar toolkits don't exist for Windows.

      • jeremiahblatz says:

        You say this as if you believe *far more effective* toolkits don't exist for Windows.

        Remember, kids, Firewire is basically a port hooked up toy your system's memory.

  6. noweb4u says:

    I'm surprised they don't just use the firewire port to grab a copy of system RAM. That would make far more sense.

  7. strangehours says:

    ...quite apart from the fact that if you've got physical access to a machine, there's really nothing to stop you from doing pretty much whatever you want...

    I'm not entirely sure that this will stack up to its claims. If you use to view passwords, unless you've selected 'always allow' previously, you have to type in your account password regardless of the lock status of the keychain (in fact if it's locked, you need to type your password twice). doing the same thing from the commandline with /usr/bin/security also pops up a dialog.

    SSHKeychain, which is good in and of itself, is configured by default to lock the keychain when the screensaver kicks in. It seems to also do it on system sleep, although I can't find a preference that controls that.

    Surely there are others?

    • jeremiahblatz says:

      Presumably you grab the encrypted values. That "Return to the lab and investigate the data acquired" step presumably involves a brute-force attack to crack the keychain password. (At least, I hope that Apple's smart enough to make the keychain rainbow-table-proof.)

      • strangehours says:

        If that's the case, then keychain status doesn't come into it; you just snarf ~/Library/Keychains/*.

  8. ilgazc says:

    I alerted some developer about a thing I saw on Internet claiming local hack of server. He said he will fix it just because he doesn't want his product to appear with security alerts when searched from google. The reason he didn't care too much? He said if there is a actual person sitting on your chair doing evil things, you have more serious problems rather than software security. :)