Sierra macOS update last week 10.12.2 solved several bugs and has patched some newly discovered vulnerabilities, including one that allowed an attacker to obtain your password FileVault disk encryption connecting a Thunderbolt device on a Mac or blocked State of suspension.
As detailed by security researcher, Ulf Frisk, attackers must have physical access to your Mac to exploit the vulnerability. The password you get can be used to free the disk from your Mac and access everything in it.
The security researcher points out two macOS issues that made this type of attack possible.
First, macOS is not protected against direct memory access (DMA) attacks before it starts. This is because the Extensible Firmware Interface (EFI) works when you turn on your Mac and is used to allow Thunderbolt devices to read and write memory before macOS starts.
"Right now, MacOS has not yet begun , " says Frisk. "MacOS resides on the encrypted disk, which must be unlocked before it can be started. Once macOS starts the DMA protections are enabled by default. "