Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

Prevent Insecure Booting Of Your Mac 51

maxphunk writes "So you can boot anyone's Mac using a CD or (for newer machines) mount the hard drive using target disk mode. Therefore, your machine isn't secure, right? Stock, yes; otherwise, no. Apple has a neato utility described here that eliminates this problem and more, using Open Firmware Password Protection. I have installed it on my iBook (late 2001) and I am definitely pleased with the results." It requires Mac OS X 10.1 or greater, and prevents things like starting up in single user mode, verbose mode, resetting PRAM, and more.
This discussion has been archived. No new comments can be posted.

Prevent Insecure Booting Of Your Mac

Comments Filter:
  • What would happen if you opened up the Mac and hit the hardware reset switch on the motherboard? Will this bypass this new password protection?
    • Re:Reset Switch? (Score:3, Informative)

      by BitGeek ( 19506 )
      No.

      The hardware reset starts the machine reading at the beginning of its onboard ROM (or wherever the reset address is set to) and so it immediately starts executing code that wants the password.

      The way around this is to grab a the hard drive out of the machine, and put it in an external firewire case, attach it to another machine that boots from its internal hard drive ,and then you should be able to read all the data.

      This password protection is basically a deterrant, but not ultimate security.
      • This password protection is basically a deterrant, but not ultimate security.


        that's right, it won't stop a determined hacker. If they want what's on your machine, and they have physical access, they'll get it.

        But where this falls down is that it makes it a *real* bitch if you need to legitimately boot off a CD - for example, something bad happens to your install. Unlikely with OS X, but still a remote possibility.

        -- james
        • Re:Reset Switch? (Score:3, Interesting)

          by feldsteins ( 313201 )
          Oh I don' t know.. if by "*real* bitch" you mean "gotta enter the OF password," then yeah I guess so.

          Seriously, is it more than that? I wouldn't have thought so.
        • You can still boot off of other media by holding down the Option key. From there, you'll be asked for the OF password, and then you can choose the disk you want to use.
        • that's right, it won't stop a determined hacker. If they want what's on your machine, and they have physical access, they'll get it.

          I think we are considering the wrong tools for different jobs here.

          The OpenFirmware password should be used to disallow usage of your machine as a whole (hardware stolen etc) and disallow a weak attempt at theft of private info from the machine (most attempts would be weak, the average joe is not an elite cracker or even script kiddie).

          High protection of your valuable information should be kept inside an AES-128 encrypted disk image. If they can get your data out of that (stored with a strong password), then they are pretty damned determined!

          At the end of the day, suffering a loss of hardware can be something hard to avoid. You need to decide how much you are willing to spend to prevent the theft of hardware. Securing the data is the easy part.

          If everyone secured their Macs with the OpenFirmware password, thieves might soon avoid stealing them since their value to purchasers plummet. Theives would not be able to demonstrate that "they own the machine" and that the machine is usable to a private buyer, money-lent shop, etc. I know many stolen goods are sold on the street without any demonstration, though theives selling useless hardware will soon get a bad reputation for supplying useless goods and thus avoid those goods.

          It should come pre-enabled with OSX, since the BIOS queries for a password, allowing the rightful owner to protect their hardware.

  • What if you forget password? Just call Mac service? Well that doesn't sound secure...
    • i think it can be compromized anyway, take your harddrive out, etc.. But it's very effective against fast console hacks. (going to take a coffe and leaving my iBook on my desc...)
      • going to take a coffe and leaving my iBook on my desc...

        I'd be far more worried about that iBook getting stolen than getting cracked...
    • Well, right now you just need to boot from the OS X CD and then use those cool menu items to reset the passwords. I've done it a number of times since someone in my house can't remember their password. But there is no need to call Apple.
      • Right, but that doesn't work on the firmware passwords, since you can't get to the Cd drive.
        • And that's why people would use the Open Firmware password. The only point I'm making is that what we currently have is insecure, so the more layers you can add, the more secure your data can be.
    • In the article:

      Warning: The Open Firmware Password can be reset and changed by any one of the following:

      1. By any Admin user, as designated in the users pane of System Preferences (or in Server Admin).
      2. Via physical access to the inside of the computer.
      3. When the computer is started up in Mac OS 9.


      No computer is secure if you have physical access to the computer.
  • wow, cool... (Score:1, Offtopic)

    by kevin lyda ( 4803 )
    ...and this prevents people from just removing your harddrive and grabbing the data that way how exactly? oops.
    • And that's why you encrypt the data files on the hard drive as well. This just prevents people from using the password reset utility on the CD to gain entry into your computer.
    • Re:wow, cool... (Score:2, Insightful)

      by DustMagnet ( 453493 )
      This type of security is more usefull than it sounds. If you combine it with a physical lock down, you have a machine that can be safely setup in a public lab.
    • No one's opening up my iMac for the hard drive without printed instructions from MacFixIt.com or another Mac tech site, and it'll take them 10-15 minutes. Heck, I replaced my hard drive, and I couldn't do it again without instructions.
  • by Paul Burney ( 560340 ) on Friday June 07, 2002 @08:51AM (#3659140) Homepage

    Fear not! According to the securemac site [securemac.com] and the macosxlabs site [macosxlabs.org], just do the following:

    Force Removing Password Protection

    1) Add or remove DIMMs to change the total amount of RAM in the computer.

    2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).

    I'm not sure if just removing the PRAM battery will also reset the PRAM or not in this case.

    Is this secure? Well, it depends on your situation. If you are in a lab situation and you don't want the students booting off CDs, ZIPs, external hard drives, etc., for their hax0rish needs, then this works OK. It's easy to spot someone opening up a computer and swapping out ram, etc.

    For your own machine? Probably more trouble than it's worth because it causes problems with firmware upgrades, etc. If someone has physical access to your machine, they can get the data off by using the above procedure or by the hard drive swapping someone else mentioned.

    Bottom Line: If you have sensitive data on your machine, you should encrypt it even if you have OF password set. In general, if you let someone have physical access to a machine, assume they can get access to all the data on it.

    • That's only if you're being half-assed about it. You can put a masterlock on the machine to prevent it from being opened.
      • Not on an iMac though. There isn't a way to stop the ram from being removed.
        • Not on an iMac though. There isn't a way to stop the ram from being removed.
          Yes there is. There's a hole in the latch (the part you turn using a coin or whatever) that, when a cable lock is inserted, will prevent the latch from being opened.

          It's hard as hell to find a lock to fit it, but once locked down, you cannot open it. I found a cable-type luggage lock that fit.

      • You can put a masterlock on the machine to prevent it from being opened.

        The padlock itself may be able to laugh at bullets, but the little tab of lightweight metal it's attached to is about two seconds work with a Dremel.

        Locking a computer case that way is about as effective as putting a bulletproof window into a cardboard wall. It's the illusion of security, nothing more.
    • I happen to like the "arcane" (not really, "password" then "setenv security-mode full" isn't that arcane (coming from a guy that prefers MacVIM to anything else....)) interface better because it can lock out the computer from booting period unless you reset the password.

      typical startup session with this mode on

      (open firmware banner)

      ok> boot
      Password: clickety-click
      booting continues

      Pi
  • by Spencerian ( 465343 ) on Friday June 07, 2002 @09:07AM (#3659231) Homepage Journal
    For the record, I'm an Apple Service Technician, so I'm not quite talking out of the side of my face.

    Open Firmware protection has been around since the Blue & White G3 (maybe the original G3) but wasn't really endorsed by Apple until now. I think they really wanted to make a formal way to configure it. Before this, users had to boot into OF and enter some arcane commands.

    Basically, all Macs made since late 1999 work with this, but original and Blue & White G3s as well as early iMacs (made in 1998 and 1999) don't qualify. That doesn't mean you can't attempt to use the OF password features available on these systems, just that you may not be able to use Apple's utility to configure it since the firmware versions don't match.

    As someone already said, all bets are off when a hacker has physical access to the computer. But, combined with physical deterrents such as locks and proper security (rlogin off, password on screen saver, proper admin and user accounts, etc.), this really helps teachers and other sysadmins who need to keep kiddies or college kids from overriding the system's security and installing or copying stuff.

    Apple hardware has really needed this for a long time, and I couldn't endorse it until Apple did since it's a CYA thing.
    • I'm trying to figure out a way to boot Linux on old world Macs that run OS X (beige G3s, etc). I was hoping this was a way to get into firmware, because as it stands, the firmware bootloader (yaboot) doesn't work, and since it's OS X, a BootX extension doesn't work either without forcing the user into OS 9.

      I read this on the Apple Care page linked to this article:

      Hardware Requirements * none

      But from what you say, this isn't true.

      For what it's worth, yaboot, the Open Firmware boot loader that comes with most (all?) PPC Linux distros, has password protection as well. (http://www.debian.org/ports/powerpc/inst/yaboot-h owto/ch6.en.html)

  • now how am i supposed to install things on the schools macs that i need. the lazy IT department will not install anything, regardless of purpose.

    we hacked an entire room of G4's just to put on our Wacom drivers so we could use our tablets to do homework.

  • Actually, it's a deterrent. If your lab is made up of new flatscreen iMacs, you'd have to prevent the base from being opened up. Four screws for the RAM access plate, then some torx screws inside that for the drives. PowerMac G4 computers and CRT iMacs are better protected because their access doors can be secured with a cable.
    Bottom line, the Open Firmware password is a Maginot Line. It's great until someone realizes they can go around it. You'd better be ready to use other utilties or practices in conjunction with the password.
  • If you have physical access to the device, of course you can access the data stored on the device. All of these measures help keep the dad from being accessed, but if one steals the storage medium, you better hope that everything important on the drive was encrypted.
  • Enabling the OF password will disable all of the startup key sequences, including booting from a CD, ejecting removable media, and Firewire target disk mode. This can be very confusing if you set the password, forget that it is set, and then try to use FW target disk mode, or need to boot from a CD. For everything that it disables, it is not worth the very little bit of security that it adds.
    • yeah, it's bad security because you're a moron and forgot you set it up. uh-huh. it makes it more difficult to access the device? that's why it's called security, dumbass.
      • It is bad security because it doesn't buy you anything. Your data is no more secure with it on than off. It adds inconvenience by disabling some very useful functions (firewire target mode) and in order to turn it off to use fw disk mode, you have to boot into X to turn it off. If you are after data security, you would be better served to look somewhere else.
        • hmmm... it buys me the knowledge that an unattended machine won't be able to be booted and accessed by anything but the internal drive.

          yeah, and those very useful functions that are disabled make your machine less secure, so disabling them makes the machine more secure...

          it's obvious you just don't get it.

          • Well I guess you won't be happy until you win, so if disabling these features is useful to you, then you win. In my book this doesn't add much value, but if I were still administering labs of machines, this would be very useful. To each, his own. I don't use it, but I can see that it might be useful to some. The point is that users should not enable this password without knowing the consequences.
  • Physical security is always part of the secruity equation, so here's a somewhat ridiculous method, and one that can work well in a school environment.

    Remove the internal hard drive, or ensure that there is no OS installed on it (data only), set up an external firewire drive with everything you need (OS, Apps, etc.), and set the system to boot from that drive. When you're done, take the hard drive with you.

    Alternatively, you could also boot this same system off an OSX server volume (ala diskless Unix workstations) Apple demonstrated that capability with an early dsitro of OSX Server to 50 diskless iMacs a while back. Here's a reference: http://docs.info.apple.com/article.html?artnum=601 68
  • laptop theft (Score:2, Insightful)

    by tomdarch ( 225937 )
    My PB was stolen a while ago, so this has been on my mind recently. How sophisticated are the people who fence stolen mac laptops. I'm sure that there's a sophisticated network for turning around stolen PCs, but Macs are a bit more obscure. In my case, the stupid theives took the laptop, but not the $80 power cable. I'm sure that the battery ran down in a few days in sleep mode, so to show that it's working to sell it or wipe the drive with a bootable CD would require a specific power cord. Are there 'resale channels' with those kinds of resources? Back to the topic, an OF password would help to some degree by preventing simply booting off a CD. Are there Mac specific fences who would know how to get around that? It's been a couple of months since the theft, and I still suspect that I may get a call one day: "Uh, I, uh, found a laptop that has your name on the screen and asks for a password...." I can always hope, can't I?

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...