This post is obsolete and screenshots have been removed.
I first read about the MacLock Pick a little over a week ago. It was described as a USB thumbdrive that could be plugged into a Mac to extract passwords from a keychain along with other system information. The keychain is an app that holds passwords so a user doesn’t have to enter them all the time. While encrypted and password protected the keychain usually automatically opens and loads when a user logs on, although this behavior can be changed. The MacLockPick is sold by SubRosaSoft.
SubRosaSoft makes a big deal on their website that they’ll only sell it to licensed investigators and law enforcement officers. It sells for $500 with a 10% discount to law enforcement. This just didn’t seem right, and if it was right it was eventually going to be a big problem since it would only be a matter of time before the technique fell into the wrong hands. It’s a USB key so physical access is needed. But there must be more to it.
The SubRosaSoft website has this information…
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.
and it adds
Recovers files from sleeping computers – Once awakened a Mac will return it’s keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.
and the usage instructions begin
- Insert the MacLockPick flash drive into your suspect’s computer
- Double Click on the MacLockPick Application
So if we break this down:
Yes, the default state of the Apple keychain is open. For true security this can be changed so it closes after 30 minutes of non-use or even close after each access. Those settings can be annoying so it’s likely that the default of “open” would be used unless the person was truly security conscious. And, yes, if you have physical access to the computer you can read various log files and the unemptied trash. OS X does have a secure delete which overwrites files that are deleted. It doesn’t seem like MacLockPick deals with secure delete. It’s also unclear if the software actual tries to read the physical sectors of the hard disk to get the contents of the files. It sounds like it just reads the history of files used and deleted. All this will give is the file names.
But then we hit the real weakness of the product. All you need to do to stop anyone from using this product is enable the option
or enable the two lock options.
Any of these will require a password before giving access to the Mac so at this point there no way to double-click that icon until a password is entered. Oh wait, one more way to thwart the MacLockPick – turn off the Mac. Unless autologon is enabled the tool can’t be used. (And if autologon is enabled the tool isn’t needed.)
The program does the usual forensic stuff like not writing to the hard disk when it does it’s thing. It also automatically does everything so no OS X knowledge is needed. But is that worth $500? What their really seem to be promoting is a way to bypass security, just look at the name. They aren’t cracking any passwords or doing any magic. A non-security professional can get the same info under the same conditions.They just need to know how to start the keychain app and where files are located. Sure they automate it, but $500?
Sure, if the “suspect” isn’t security conscious at all you’ll be able to collect the information, but enabling any of these options makes the Mac more secure that that door you have to break through to secretly get to the Mac. Oh wait, maybe the door key is under the mat. I’m heading back to their website to see if they sell a tool to crack a doormat.