SubRosaSoft announced the release of MacLockPick recently. It’s supposedly a product for law enforcement agencies (supposedly, because there is no ‘try before you buy’ – quite a jump to take for a 600-dollar app, cough, memory stick) and it’s claimed to ‘crack any password on a Mac’.
When clicking further than the all too speculative headlines from news websites, you quickly discover some facts about MacLockPick; 1.) It’s entire working is apparently based, according to their site, to the default setting of the OS X keychain to be ‘opened’ to use. This means anyone serious enough about computer security will be able to harden themselves against it. To quote SubRosaSoft;;
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.
Oh my, we got a disaster on our hands! Macs are insecure by default! Want to prevent nasty government agencies from stealing your keychain? Read up on UNIX. Oh yeah, that advice I gave about ten times in one of the most popular OS X security how-to’s on the web also stands; any standard non-admin user will not be able to get access to those logs.
While all these statements are made here, I can honestly say I don’t know how the supposed agencies will be able to simply parse the keychain passwords to disk. If you have the keychain open, and an application tries to fetch passwords, the Keychain Agent will ask you if you want to allow access. I suppose one could automate with OSA to just ‘allow everything’, but that would really mean our implementation of the Keychain is flawed. You could also think in the sense of the InputManagers and other injection hacks that can replace such system services with their customized code (actually working example at the bottom of the page). Anyway, I’d love to get my hands on this software to see if it exploits a fundamental weakness in OS X. I am still quite sure, however, that if you follow the advice I have given in my how-to, there won’t be a slim chance in hell that MacLockPick is able to retrieve a single password from your computer. They’d have to bruteforce it.