Questionable Security Outfit Won't Explain Shady Exploits

A couple of days ago we posted on the MacLockPick from security company SubRosaSoft. The device is a USB drive which supposedly compromises any Mac it is plugged into, grabbing passwords, internet histories of all kinds and lots of other sensitive information.

The post gave a fairly detailed account of how I thought this might work and how to easily prevent such an attack. I sent an email to the sales address on SubRosaSoft's site and got a reply from the CEO, Marko Kostyrko. While courteous, he refused to discuss the product and would only offer an in person demonstration with representatives from Apple also in attendance.

Why? Possibly this was an attempt to grab some extra publicity, or perhaps my original post was too close for comfort, revealing how ineffective this expensive product might be. From Mr. Kostyrko:

Many of your assumptions are correct, many of them are not. We respect and welcome the opportunity to discuss this in detail but are only prepared to do this in the form of a published article involving an in person demonstration of the technology (to dispel the myths and authenticate the truths).

Note: to avoid misunderstandings it would be appropriate to perform an in person demonstration.

We would like to involve Apple in the process along with their official guidelines on how to lock down your system so that all concerned users can understand how these things work. We can arrange for representatives of Apple to be present along with their thoughts on the matter.

This sounds very much like SubRosaSoft trying to control our coverage, which is something Wired will not allow. We offered them a telephone interview and the opportunity to give an online demonstration but unfortunately the lowly Gadget Lab wasn't deemed good enough:

Gadget Lab is not likely to be an appropriate venue for our target market, so we respectfully decline that, but would welcome wired.

I replied:

The online side of Wired is split into subject areas. I think that a USB thumbdrive falls squarely into the Gadget Lab remit.

With this refusal of information, we can only speculate on whether the device works or not (I vote no, but it's only an educated guess). Are SubRosaSoft keeping the workings secret to provide 'security through obscurity'? Are they scared that if the MackLockPick is examined properly they will lose sales when it's found to be worthless? Like I said, without more information we can't tell. But it does smell a little fishy.

My full email follows:

From: charlie@[redacted]

Subject: MackLockPick questions from Wired

Date: April 30, 2007 11:23:43 AM GMT+02:00

To: [email protected]

Hi,

I write for Wired's Gadget Lab and I have posted an article on the MackLockPick.

http://blog.wired.com/gadgets/2007/04/maclockpick_usb.html

I have a couple of questions about the product.

The 'law enforcement officer' needs to run the application from the USB drive. How can they do this if the secure screensaver is set? That reqiures a password to actually use the machine.

Even if the machine is on, awake and logged in, will this work if the keychain is locked? You say that the MackLockPick takes advantage of the fact that the default state of the keychain is open. It's trivial to set the keychain to automatically lock after a time period or upon sleep. This will defeat your device, right?

I assume that your claim to discover deleted files is based on reading the 'Recent Items' list stored in cache. The actual files cannot be accesed, only the names and file paths of those files. Is this correct?

If an application is run on a Mac, it too will show up in recent items. Does your software take any steps to delete this from the log files? It would have to delete the related entries in the console too, otherwise the 'suspect' would be able to discover the attack.

Thank you for your time.

Charlie Sorrel

Product page [SubRosaSoft]