Optimize your technology. Solve your IT headaches. Leverage your infrastructure.

 
alt

Trusted Computer Consulting

 

Apple Boot Security

Ben Erickson  February 22 2019 11:36:00
Ben Erickson
Last May (5/2018) while I was doing some security testing in MacOS, I found an interesting but very concerning bug. The firmware password is a setting that prevents unauthorized access to your Mac. This is what it looks like when you start up your Mac and it has a Firmware password:
Image:Apple Boot Security



Without this password set, anybody with physical access to your Mac can simply reboot the computer and with certain keyboard shortcuts, access Single User Mode or MacOS Recovery. Once booted to either of those modes, you can do absolutely anything to any file or user including deleting or adding new administrator accounts or reformatting the hard drive and reinstalling MacOS. So it's a very important security feature Apple has put into their products. What I found out was that it wasn't working.

To my surprise, on any Mac I tested, with the Firmware Password set, I was still able to access Single User Mode without entering the password. Now, as a Linux/Unix guy, I really like single-user mode because it gives me a nice, soothing black background and command-line only interface with a root prompt and whispers into my ear that MacOS, despite all the loud graphics is really just BSD Unix under the hood after all:
Image:Apple Boot Security



But I shouldn't be able to get here without a fight. After checking a few other machines to make sure I wasn't seeing things, I contacted Apple Product Security to report this giant, Men-In-Black-alien-size bug. What happened next was interesting. They asked me for some additional information and thanked me. Then nothing. No communication at all.

I discovered that it had been fixed in November (2018) when I was testing MacOS Mojave 10.14 as it was in beta, where the firmware password was working properly in securing Single User Mode. I was surprised that they had said nothing, so I started a dialog again with Apple Product Security. It went back and forth for a while, and after about a month (December now) they told me it was fixed (promptly!) in macOS High Sierra 10.13.5. But they never notified me nor even published it on their security bulletin
at the time. In other words, they fixed it secretly and told no one, even though it is supposedly their policy to disclose these things, as well as the person who originally found them, in their security updates.

So we went back and forth again, and finally after two more months (February 2019), I can now disclose this on my blog since they have
put it in their bulletin too. Now, if you scroll down to the EFI section you will find this issue listed and find my name listed in the acknowledgements:
Image:Apple Boot Security



This may sound like it wasn't a good experience, and that Apple dropped the ball. And they certainly did in the communication department. But in all fairness, I think it's important to point out that Apple's products, including MacOS, are generally very secure, and also that they did fix the vulnerability almost immediately after I reported it. If you have any questions about how to use the firmware password on your Mac or anything related to Mac Security or MacOS, I am a certified
Apple Certified Support Professional and can help you with that. Just give us a call!
Copyright © 2023 Trusted Computer Consulting, LLC. All rights reserved.