Without the MacOS update released this week, Apple’s disk encryption can be easily defeated by connecting a specially crafted device to a locked Macbook.
The attack is possible because devices connected over Thunderbolt can access the computer’s RAM directly before the OS is started through the direct memory access (DMA) feature. The DMA mechanism is typically used by disk drive controllers, graphics cards, network cards, and sound cards because accessing the memory through the CPU would otherwise keep the processor busy and unavailable for other tasks.
Apple’s MacOS has DMA protections, but they only kick in when the OS is running. However, the EFI (Extensible Firmware Interface)—the modern BIOS—initializes Thunderbolt devices at an early stage in the boot process and this enables them to use DMA before the OS is started, security researcher Ulf Frisk said in a blog post.