28 Apr Debunking MacLockPick.
Category: Unfiled

SubRosaSoft announced the release of MacLockPick recently. It’s supposedly a product for law enforcement agencies (supposedly, because there is no ‘try before you buy’ – quite a jump to take for a 600-dollar app, cough, memory stick) and it’s claimed to ‘crack any password on a Mac’.

When clicking further than the all too speculative headlines from news websites, you quickly discover some facts about MacLockPick; 1.) It’s entire working is apparently based, according to their site, to the default setting of the OS X keychain to be ‘opened’ to use. This means anyone serious enough about computer security will be able to harden themselves against it. To quote SubRosaSoft;;

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.

Oh my, we got a disaster on our hands! Macs are insecure by default! Want to prevent nasty government agencies from stealing your keychain? Read up on UNIX. Oh yeah, that advice I gave about ten times in one of the most popular OS X security how-to’s on the web also stands; any standard non-admin user will not be able to get access to those logs.

While all these statements are made here, I can honestly say I don’t know how the supposed agencies will be able to simply parse the keychain passwords to disk. If you have the keychain open, and an application tries to fetch passwords, the Keychain Agent will ask you if you want to allow access. I suppose one could automate with OSA to just ‘allow everything’, but that would really mean our implementation of the Keychain is flawed. You could also think in the sense of the InputManagers and other injection hacks that can replace such system services with their customized code (actually working example at the bottom of the page). Anyway, I’d love to get my hands on this software to see if it exploits a fundamental weakness in OS X. I am still quite sure, however, that if you follow the advice I have given in my how-to, there won’t be a slim chance in hell that MacLockPick is able to retrieve a single password from your computer. They’d have to bruteforce it.

Unrelated posts:

    Bricky Shirt

    By no means a replacement of the Cocoia Exploded Settings tee, but I wanted to wear this and I was told others enjoyed it as well. Represent the...

    the Cocoia WWDC shirt

    It's often said that there is great value in having a distinct shirt at WWDC, and while I'm not very preoccupied with that notion myself, I do...

    Redesigning Steam for Mac

    Steam for Mac will be available for download in a week's time. Steam, for the uninitiated, is the world's largest gaming platform, serving in...

    The first Photoshop icon.

    While I was doing some research for one of my upcoming projects today, I found the very first Photoshop icon. It's actually a tiny little photo...

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses

  1. Wow. I don’t get the idea of actually selling a program that has – supposedly – the ability to crack Keychain-stored passwords : isn’t this illegal anyway ? I don’t really know about law enforcement’s policies is the US thought…

    This is bad for OSX : feels a little less secured now…

    I guess I’ll wait for Cocoia Security expert to help me with my security !

  2. 2
    Trevor 

    Typo: “It’s entire working” –> “Its entire working”

Trackbacks

Leave a Reply