COMMAND
FWB
SYSTEMS AFFECTED
Mac OS
PROBLEM
Following is based on L0phT Security Advisory by Space Rogue. FWB
Hard Disk Toolkit 2.5 allows users to password protect hard drive
volumes. This password has to be entered when the hard disk
driver loads in order to allow the volume to mount. Failure to
enter this password prevents the volume from mounting and
therefore prevents access to the data on the device.
By forcibly replacing the FWB driver with a different driver it is
possible to access the data on the password protected volume
without knowing the password. Most Macintosh hard drive
formatting utilities will allow you to replace the FWB passworded
driver. However they will also make any data on the drive
unreadable without advanced data recovery software (Norton Volume
Recover etc.). If the FWB driver is replaced with La Cie
Silverlining then it is possible to bypass the password and still
access the data. L0pht testing procedure utilized a Quadra 610
24/230, Mac OS 8.0, FWB Hard Disk Tool Kit 2.5, La Cie
Silverlining 5.8.3, and an External 160MB SCSI IBM H3171-S2 hard
drive.
L0pht test drive was first low level formatted with FWB and a
read/write password was assigned. Then about 10MB of various
files where copied onto it as our test data. The machine was then
powered down and rebooted. Upon boot up the system prompted us
to enter the password. This enabled the system to mount the drive.
L0pht then launched Silverlining and updated the driver.
Silverlining did not complain about doing this except to give us
the standard dire warnings about possible data loss. Again we
powered down and rebooted. This time no password was asked for
and the volume mounted successfully with all of its data intact.
The previous steps where repeated ten times with no discernible
differences.
L0pht tried various other hard drive formatting utilities in
addition to Silverlining such as SCSI Director Pro, Anubis and
others. While some of these other utilities where able to replace
the FWB driver access to the data was lost. Silverlining is unique
in that attempts to preserve data integrity while replacing
the driver, other utilities do not take data preservation into
account.
L0pht would like to acknowledge J. Claymore who first mentioned
this problem some time ago which made this advisory possible.
SOLUTION
Users should be aware that using a driver level password to
protect data is not always a guarantee that your data is safe from
prying eyes. The previous example can be accomplished in under
five minutes with a medium sized drive and only requires that the
malicious user have a bootable floppy disk with Silverlining on
it. Ten minutes of unsupervised access to the target machine is
all that is required.
FWB gives users six options when applying a password to a volume;
None, Read, Read/Write, Encryption Level 1, Encryption Level 2,
and Encryption Level 3. Using one of the encryption options
would possibly allow for greater security. The disadvantage is
that using one of the encryption options greatly slows down the
speed at which your machine can read and write data as it does its
encryption/decryption on the fly. (It is not the purpose of this
advisory to determine if FWBs encryption implementation is any
better or worse than its password implementation).
Numerous hard drive formatting utilities allow the setting of a
password similar to FWB. Unfortunately L0pht do not have the time
to test them all. It should therefore not be assumed that all
other driver level passwords are secure.