Why Should You Enable FileVault 2?

Daniel Houghton

Web Application Tester

Daniel is a Web Application Tester here at Pentest People.

Why Should You Enable FileVault 2?

FileVault 2, Apple’s encryption program, offers data protection for the whole disk in an efficient method that is simple to implement and seamless to the user.

Why Should You Enable FileVault 2?

According to a 2018 survey by McAfee, the average consumer has 23 online accounts. In today’s world, it’s essential for even the most basic computer user to have strong (and unique) pass-phrases to keep their accounts and devices secure. Without the use of a password manager, it can be a daunting task to remember even a handful of these, let alone 23; and we’ve all had to use the ‘Forgot your Password?’ functionality at least once – but what can be done if you lose your password to something without such functionality? For example, your old MacBook.

I was recently presented with an old MacBook running MacOS 10.13 High Sierra, for which any passwords had long since been forgotten, and tasked with regaining access. Not only was it possible to reset the administrator password and obtain access to the machine, the process was relatively straightforward, non-destructive and took only a few minutes. For some users, simply highlighting that booting the machine in ‘Single User Mode’ grants a root shell is all that needs to be said; however, for those desiring a little more explanation, in this blog I will break down the process and commands required to reset the admin (or any other) password on your old MacBook:

We begin by entering Single User Mode by rebooting the Mac and holding ⌘+s (command+s) until a command line appears.

By default, the root disk is mounted as read only. The user is prompted to run two commands in order to remount the disk with writable permissions, which we will need to make the necessary modifications. Firstly the following command is used to check for and repair any filesystem errors:

– fsck -fy

Secondly, this command mounts the disk with writable permissions:

– mount -uw /

Next, we will need the administrator’s username. To find this, we can run the following command:

– ls /Users/

This output shows all the user accounts available on the mounted disk, including the account we are interested in: ‘Administrator’

We now have all the necessary information to change the administrator’s password; however, when running the command to do so, we receive the following error:

This error appears when a user tries to run the password command when Open Directory isn’t running

This Can be Fixed by Issuing the Following Command:

– launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

The ‘passwd’ command can then be rerun and a new password entered:

– passwd Administrator

The final step is to restart the MacBook by holding down the power button or issuing the following command:

– reboot

The new user credentials can be used to login to the machine as normal.

This procedure is even more straightforward on later distributions of MacOS.

Enter Recovery Mode by rebooting the Mac and holding ⌘+r (command+r) until the apple logo appears.

Once MacOS Utilities has loaded, from the menu bar at the top of the screen, select Utilities > Terminal. Once the terminal window has opened, issue the following command:

– resetpassword

The Reset Password function will then open in a new window, from which the desired user can be selected and their password reset.

Finally, the system can be rebooted by clicking the Apple logo in the top left corner and selecting Restart; after which the new credentials can be used to access the machine.

To answer the titular question of this blog, not only does FileVault 2 provide on-the-fly, full-disk encryption ‘to help prevent unauthorized access to the information on your startup disk’, FileVault 2 provides simple mitigation to the above potential attack vectors by requesting the user’s login password before the machine’s disk can be decrypted and accessed in Single User or Recovery modes.

Are the implications of having a default configuration that allows an attacker to change any user’s password in macOS somewhat concerning? Perhaps. Nonetheless, some readers will likely be happy to learn that their old MacBook does, in fact, have a ‘Forgot your Password?’ functionality.

Click here to find out more about our Web Application Testing Service.

Video/Audio Transcript