Do not leave your Mac in sleep mode
A device called PCILeech available in the online stores allows you to unlock and decrypt the files on your Mac simply by connecting to the computer via Thunderbolt interface.
Vulnerability in proprietary system file encryption FileVault2, which is used in macOS, allows hackers to obtain the password and thus have access to all files on the computer. For this to sleep or locked Mac, just connect the gadget cost $ 300.
“Simply connect to Mac blocked by inserting a Thunderbolt device, force a reboot (ctrl+cmd+power) and wait like less than 30 seconds, the password will appear on the screen!” he said Ulf frisk.
How figured out the experts, the Mac does not protect itself from attacks by direct memory access DMA to run macOS. In the early stages of EFI activates Thunderbolt, which allows malicious devices to read and write memory. The attack takes less than 30 seconds, says the expert.
The second problem lies in the fact that the FileVault password stored in memory in plain text and it is not cleared automatically, in case unlock the drive. It moves when you restart, but within a fixed range of memory, making the goal more accessible.
Security update macOS Sierra 10.12.12 closed this method of hacking a Mac. If you have not updated your computer to the latest version, you definitely should.