Using EFI password "full" security isn't working

Question

Level 3

825 points

Using EFI password "full" security isn't working

Hi,

I'm trying to use the EFI Password Utility to prohibit any attempt to boot my MacBook Pro without the correct password. I used the utility available on the MacBook Pro's supplied install DVD, and so far have successfully prevented the use of any keystrokes on boot without the correct password (ie. "command" mode). However, I am unable to set the EFI to prohibit any attempt to boot.

Apple documents in its, "Mac OS X: Security Configuration - For Mac OS X Version 10.6 Snow Leopard" PDF manual that,

You can also configure EFI from the command line by using the nvram tool. […]

You can set the security mode to one of the following values:

[…]

Full: This value requires a password to start up or restart your computer. It also requires a password to make changes to EFI.

For example, to set the security-mode to full you would use the following command:

$ sudo nvram security-mode=full

I applied this setting, but it doesn't appear to be working. The redacted output of "nvram -x -p" is as follows:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>EFICapsule_Result</key>

<data>

REDACTED

</data>

<key>SmcFlasherResult</key>

<data>

REDACTED

</data>

<key>SystemAudioVolume</key>

<data>

REDACTED

</data>

<key>boot-image</key>

<data>

REDACTED

</data>

<key>efi-apple-payload0</key>

<data>

REDACTED

</data>

<key>efi-apple-payload0-data</key>

<data>

REDACTED

</data>

<key>efi-apple-recovery</key>

<data>

REDACTED

</data>

<key>efi-boot-device</key>

<data>

REDACTED

</data>

<key>efi-boot-device-data</key>

<data>

REDACTED

</data>

<key>gpu-policy</key>

<data>

REDACTED

</data>

<key>prev-lang:kbd</key>

<data>

REDACTED

</data>

<key>security-mode</key>

<string>full</string>

</dict>

</plist>

What makes it confusing is that Apple specifies later on the same page (56) that the the term passed to the "security-mode" option should be encased in quotes:

# Secure startup by setting security-mode. Replace $mode-value with # "command" or "full."

sudo nvram security-mode="$mode-value"

So, assuming that I may have used the wrong version of the command, and thereby not applied the setting correctly, I deleted the "security-mode" key using:

sudo nvram -d security-mode

I then re-applied the setting using:

sudo nvram security-mode=full

because I was confident that, initially, I had used the version with quotes. However, it's made no difference - booting the machine does not require entry of an EFI password.

Oddly, the EFI still prevents the use of keystrokes (ie. "command" mode), so it's definitely functional; I just can't tell it to use "full" mode. Also, I note that "security-mode" is the only key to have a "string" child not a "data" child - is this indicative of a problem?

Any advice?

MacBook Pro, Mac OS X (10.6.8), Early-2011 model, 4GB RAM, SSD

Posted on Feb 16, 2012 5:12 PM

Reply

Answer 1

Linc Davis

Level 10

209,535 points

Feb 16, 2012 6:38 PM in response to Scotch_Brawth

I don't know why it doesn't work, but you should be aware that you're not doing anything to prevent data theft. An attacker who has physical access to your computer can remove the firmware protection, and/or remove the internal drive and read the contents (unless encrypted.)

Reply

Answer 2

Scotch_Brawth Author

Level 3

825 points

Feb 17, 2012 11:52 AM in response to Linc Davis

you're not doing anything to prevent data theft

That's a pretty contentious statement. I'm asking you to refrain from posting back so that, when I next receive a notification of a reply to this thread, I might expect it to be from someone with something to contribute to the question.

Reply

Answer 3

Linc Davis

Level 10

209,535 points

Feb 17, 2012 12:02 PM in response to Scotch_Brawth

That's a pretty contentious statement.

It's a true statement, whether you know it or not.

I'm asking you to refrain from posting...

I'll post when and as I choose.

Reply

Answer 4

eww

Level 9

53,028 points

Feb 17, 2012 12:05 PM in response to Scotch_Brawth

Linc is perfectly correct. A firmware password is easily circumvented in five minutes or less by someone who has physical access to the machine, and in two more minutes the hard drive can be removed and absconded with. So if you are trying to secure your data against someone who will have physical access to your computer, concern yourself with encryption, not the illusory protection of a firmware password.

Your rudeness doesn't encourage anyone to venture a reply.

Reply

Answer 5

Scotch_Brawth Author

Level 3

825 points

Feb 17, 2012 12:17 PM in response to eww

Your rudeness doesn't encourage anyone to venture a reply.

lol, frankly hardly too much of a concern when the quality of replies I receive here are, most of the time, so poor. I post here because I've exhausted all other avenues, not because I actually expect a useful or even pertinent reply.

eww wrote:

A firmware password is easily circumvented in five minutes or less by someone who has physical access to the machine

and the resources and time to do so.

I guess all the US troops in theatre should forswear their armoured vehicles and kevlar - after all, someone with the right weapon can maim/kill them whenever they choose...

Reply

Answer 6

eww

Level 9

53,028 points

Feb 17, 2012 12:53 PM in response to Scotch_Brawth

The resources consist of a suitable screwdriver or two and a sentence or two of information that anyone can easily find on the web by Googling.

The time needed is, as I said, no more and quite possibly less than 5-7 minutes, depending largely on whether or not the thief takes time to reassemble everything before leaving with your hard drive. It would be much easier and faster to steal the hard drive from any unibody MBP than to bother booting the machine and searching for the desired data on it. Encryption would prevent the would-be thief from accessing your data regardless of which method he chose.

I don't presume to advise soldiers in the field about protectiong themselves. I do venture to tell people who come here looking for advice about data security that a firmware password is about as much use as a tinfoil hat. If you choose to put a tinfoil hat on your Mac and call it secure, good luck to you.

Reply

Answer 7

andeqoo

Level 1

6 points

Mar 10, 2012 6:28 AM in response to Scotch_Brawth

I've got the same problem as OP but I'm not concerning myself with the physical security of my device--an entirely separate topic altogether.

Essentially, I know that with physical access to a Mac box it's possible to enter single user mode and change the password. I also know there is a way to prevent that ability by changing the default login credentials I just don't remember the phrase of what I'm looking for. I know that I have a pdf on hardening snow leopard which probably has information on how to restrict password changes when in single user mode, but I can't find it.

Here's some stuff that should at least get you started in the right direction:

http://support.apple.com/kb/HT1352

http://lists.apple.com/archives/fed-talk/2011/Feb/msg00022.html

Definitely read:

http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf

Depending how much time you want to spend on this, there's also a book by Charlie Miller called "Mac Hackers Handbook" that's worth the read--although I have yet to do completely so myself. I did get to see his talk at DefCon 2011 and it was pretty amazing- he developed a technique to essentially make a Mac laptop battery explode from a remote location-- although he never has actually done it for fear of...you know...actually destroying his computer. lol. The next time you hear a MacTard bragging about how OSX is a secure platform, be sure to bring that up. Also distinguish between viruses and malware in general the next time you talk to a genius about mac security- we recently discovered a rootkit on one of the Macs on our network.

Back to the topic--If you're going to go through the effort of securing one aspect of your box, you mind as well keep going with it if you have legitimate reasons to worry about unauthorized access.

Another awesome resource is the Electronic Frontier Foundation:

https://www.eff.org

https://ssd.eff.org/risk

They have guides about nearly everything concerning online anonymity and/or security and they're really good about keeping it 'human readable' - ie understandable to the average user. I'll try to find that pdf and upload it if I do. Those other resources should point you in the right direction- if not explicitly answer your question. Let me know if you find anything too 😉. Help me help you.

Reply