Does an EFI Password make sense?

[Ambrosia7177]

In the past, a friend told me that if I wanted good security on my MacBook that I should create an EFI password.

Does that still apply in 2017?

I have been reading about some Thunderbolt 2 firmware hack that turns your mac into a "brick" and the article made it sound like an EFI password won't protect you.

I am asking for my Retina MBP that currently runs Sierra and which has a removable hard-drive.

Thanks.

 

[velocityg4]

Using Filevault protects you. An EFI password just makes it the computer useless to a would be thief. As they won't be able to wipe the drive and do a clean install of OS X or replace the drive.

As far as I know Apple patched that Thunderbolt flaw last December.

 

[Fishrrman]

Once you set an EFI password, the Mac won't even begin to boot UNTIL you enter the password.

This can be great if you want to restrict access to it (particularly if it's stolen).

BUT -- forget that password, or if something else "goes wrong" -- even YOU may not be able to get it booted and running again. You'll be permanently "locked out".

And Apple WILL NOT help you, UNLESS you can prove ownership to them (usually with an original invoice).

I wouldn't want this.
Whether you would... is up to you.

 

[Weaselboy]

Once you set an EFI password, the Mac won't even begin to boot UNTIL you enter the password.

You might be thinking of FileVault that will require a password at boot, but a EFI password does not require a password during a normal boot to the previously selected startup disk.

 

[Ambrosia7177]

You might be thinking of FileVault that will require a password at boot, but a EFI password does not require a password during a normal boot to the previously selected startup disk.

So is setting up an EFI password on Sierra a good security move?

It seems like a good idea to me, but I am just leery because it sounds like there are lots of tools out there to bypass your EFI password and hijack your Mac.

Is that true or not?

It doesn't sound like @Fishrrman likes the idea of an EFI password.

 

[Weaselboy]

Yes it is a good security move. It prevents someone from booting from an external drive and using that to try and hack in.

There was a hardware device that was able to hack the EFI password, but it has been patched.

Other than the concern about forgetting the EFI password and having to hassle with getting Apple to reset it, there really is no reason not to enable it.

 

[ApfelKuchen]

"Make sense" is going to vary from person to person, circumstance to circumstance.

With EFI password enabled, you need to enter that password any time you try to boot to Recovery or Internet Recovery, if you try to reinstall using a bootable thumb drive, target disk mode, boot to a different OS on an alternate partition... Meantime, since on a routine basis you won't encounter that password, you may either forget you have it or forget what it is. So, it could become an impediment when trying to recover from a disaster, bring it in for service, or erase/sell the Mac.

But beyond that, it enhances security for that same reason - scorched earth if someone steals the Mac, and fewer ways to hack in.

It is not a substitute for disk encryption - it is a supplement. If someone were to remove the HDD from the Mac, the EFI password would not protect the contents of that drive - disk encryption is the answer for that particular risk. One way to look at it is that EFI password protects the computer, encryption protects the data.

 

[Ambrosia7177]

Yes it is a good security move. It prevents someone from booting from an external drive and using that to try and hack in.

There was a hardware device that was able to hack the EFI password, but it has been patched.

Other than the concern about forgetting the EFI password and having to hassle with getting Apple to reset it, there really is no reason not to enable it.

So if I update my EFI firmware on my 2015 Retina with Sierra, are you saying I don't have to worry about things like "Sonic Screwdriver", "Der Starke", "Thunderbolt 2 Attack" and so on?
[doublepost=1509407048][/doublepost]

"Make sense" is going to vary from person to person, circumstance to circumstance.

With EFI password enabled, you need to enter that password any time you try to boot to Recovery or Internet Recovery, if you try to reinstall using a bootable thumb drive, target disk mode, boot to a different OS on an alternate partition... Meantime, since on a routine basis you won't encounter that password, you may either forget you have it or forget what it is. So, it could become an impediment when trying to recover from a disaster, bring it in for service, or erase/sell the Mac.

But beyond that, it enhances security for that same reason - scorched earth if someone steals the Mac, and fewer ways to hack in.

It is not a substitute for disk encryption - it is a supplement. If someone were to remove the HDD from the Mac, the EFI password would not protect the contents of that drive - disk encryption is the answer for that particular risk. One way to look at it is that EFI password protects the computer, encryption protects the data.

If I set an EFI password, I will write it down and store it in a safe so forgetting it won't happen unless someone walks off with my safe!

Based on what I have read so far, I'm not sure why anyone wouldn't use an EFI password and FileVault 2.

I guess my OP is just more worried about all the supposed ways that your EFI can be hacked. It sounds like EFI isn't very secure, and if that gets hacked so does your entire computer, regardless of whether it uses encryption.

How worried should I be about my EFI getting hacked?

 

[ApfelKuchen]

So if I update my EFI firmware on my 2015 Retina with Sierra, are you saying I don't have to worry about things like "Sonic Screwdriver", "Der Starke", "Thunderbolt 2 Attack" and so on?
[doublepost=1509407048][/doublepost]

If I set an EFI password, I will write it down and store it in a safe so forgetting it won't happen unless someone walks off with my safe!

Based on what I have read so far, I'm not sure why anyone wouldn't use an EFI password and FileVault 2.

I guess my OP is just more worried about all the supposed ways that your EFI can be hacked. It sounds like EFI isn't very secure, and if that gets hacked so does your entire computer, regardless of whether it uses encryption.

How worried should I be about my EFI getting hacked?

Nobody can promise that anything is hack-proof.

I don't have the expertise to say whether EFI is more or less vulnerable than other aspects of system security. My sense is that it is very secure, due to the processes needed to apply a firmware exploit. Apple seems no less attentive to known firmware exploits than they are to other kinds of exploit.

But let's look at it this way; EFI is only one of many defenses you can array against intruders. It uniquely defends against certain kinds of attack; it is zero defense against certain other kinds of attack. If you use all available defenses you will be better protected than if you use fewer.

My mom used to warn me against looking for the "hole in the donut." In other words, don't let an imperfection blind you to the overall benefits.

The fatal flaw for Achilles wasn't that his heel lacked the invulnerability of the rest of his body; it was that he didn't protect that heel - common belief is he went barefoot or sandal-footed into battle. Perhaps well-designed boots might have deflected 90% of the arrows aimed at his heel. Considering the difficulty of hitting the heel in the first place, 90% is a far better defense than none at all.

 

[Weaselboy]

So if I update my EFI firmware on my 2015 Retina with Sierra, are you saying I don't have to worry about things like "Sonic Screwdriver", "Der Starke", "Thunderbolt 2 Attack" and so on?

Last I read subsequent to all that CIA information coming out, Apple patched those vulnerabilities. I guess look at it this way, even if those vulnerabilities still did exist, are you more or less secure with an EFI password enabled? I think the answer is obviously you are better off with it enabled either way.

 

[Fishrrman]

The OP is such a "security freak", I doubt that ANYTHING will ever satisfy him/her...

 

[KALLT]

I would also recommend setting an EFI password. I used to be indifferent about it for the reasons given by others, but it does block option ROMs and narrows certain attack vectors. If you’re the kind of person that can be trusted with passwords, then it is pretty much a no-brainer to set it.

You can also set it from within macOS with the firmwarepasswd command-line tool.

 

[Weaselboy]

You can also set it from within macOS with the firmwarepasswd command-line tool.

I had not noticed this before. Is that something new?

Some of the options there look handy.

 

[KALLT]

I had not noticed this before. Is that something new?

Some of the options there look handy.

Not new, I think it has been there since Yosemite.

 

[flyingspur]

I had looked at this some time ago and there was so much negativity against it I just moved on. Seems
now it is worth another look. My little weasel friend, do you have a link or more info to the CIA reporting?
Would be a good read.

How are you all using this, command or full? Seems command would be fine, full for paranoid, but there
could be uses for that on certain machines too.

 

[techwhiz]

I use both on all the Macs in my household.
That along with FileVault means that a stolen machine is a brick.
If I can't use it, someone else won't be able to either.

You can't boot from an alternative device, so you can't wipe the encrypted data.
You can't boot from the current device because it's encrypted.

Works for me.

 

[Weaselboy]

I had looked at this some time ago and there was so much negativity against it I just moved on. Seems
now it is worth another look. My little weasel friend, do you have a link or more info to the CIA reporting?
Would be a good read.

How are you all using this, command or full? Seems command would be fine, full for paranoid, but there
could be uses for that on certain machines too.

https://techcrunch.com/2017/03/23/wikileaks-releases-new-cia-documents-describing-mac-exploits/

Here is an article on it.

I just turned it on using the utility from the recovery partition.

 

[Ambrosia7177]

But let's look at it this way; EFI is only one of many defenses you can array against intruders. It uniquely defends against certain kinds of attack; it is zero defense against certain other kinds of attack.

The problem with the EFI vulnerability is that if your EFI gets compromised your whole Mac is toast, because the OS and your apps and data sit on top of the EFI firmware. And if you read about the Thunderbolt 2 attack it is rather humbling!

If you use all available defenses you will be better protected than if you use fewer.

Yes, I agree.

My mom used to warn me against looking for the "hole in the donut." In other words, don't let an imperfection blind you to the overall benefits.

The fatal flaw for Achilles wasn't that his heel lacked the invulnerability of the rest of his body; it was that he didn't protect that heel - common belief is he went barefoot or sandal-footed into battle. Perhaps well-designed boots might have deflected 90% of the arrows aimed at his heel. Considering the difficulty of hitting the heel in the first place, 90% is a far better defense than none at all.

Valid points, but I think the weakness of EFI on macs (and PCs) is larger than that. It is more like not protecting your head or chest in battle versus your ankles.
[doublepost=1509566158][/doublepost]

The OP is such a "security freak", I doubt that ANYTHING will ever satisfy him/her...

Why does security annoy you so much Fishrrman?

Time to catch up with the 21st century before you get pwned...

 

[Tech198]

In the past, a friend told me that if I wanted good security on my MacBook that I should create an EFI password.

Does that still apply in 2017?

I have been reading about some Thunderbolt 2 firmware hack that turns your mac into a "brick" and the article made it sound like an EFI password won't protect you.

I am asking for my Retina MBP that currently runs Sierra and which has a removable hard-drive.

Thanks.

EFI passwords make sense only if you can remember them. Turn on FileVault 2 in Sierra. That will encrypt your files.. You still must remember the password, but if you forget it, you at least have other options available. (eg store password with Apple,, print out for backup etc)

Not so with EFI based.

 

[ApfelKuchen]

The problem with the EFI vulnerability is that if your EFI gets compromised your whole Mac is toast, because the OS and your apps and data sit on top of the EFI firmware. And if you read about the Thunderbolt 2 attack it is rather humbling!

Not quite true. If the contents of your HDD are encrypted, then EFI vulnerability yields no information, only access to hardware.

Nobody in this discussion has said "EFI is invulnerable." Nobody has suggested that it's the only defense you need - far from it - like other defenses, it addresses only specific types of attack.

If you think the vulnerabilities you've read about make the use of an EFI passcode a futile endeavor, then don't use it.

You started this thread by asking a question. Coming from you, we should have realized it wasn't really a question, but an irrefutable statement. Once more, I regret being suckered into one of your threads.

But in parting... Why don't you perform your own experiment? Set an EFI passcode, and then see if you can deploy the Thunderbolt 2 attack (or any other documented hack) to defeat it. We'd love to know how that works out.

 

[RedTomato]

I haven't set it. I've had thunderbolt-enabled macs for nearly 4 years, and I don't think I've ever actually seen a thunderbolt peripheral. Yes someone could hack a monitor and then send it to me to plug in, and it's actually secretly thunderbolt not mini-DP. Please do send me one.

I also move HDDs and SDDs around a lot so I don't use FileVault (for the moment) as I don't have info of interest to someone who would go to the lengths of stealing my physical hardware. I do however have logon passwords set.

I also keep my passwords in a password manager e.g. the brilliant 1Password, and if I were to enable EFI or FileVault passwords, I would certainly keep them in a password manager, then I can access them on a second mac or on my phone. And don't give me that bollocks about 1password being hackable - it's better than my brain or pieces of paper for tracking the dozens of long complex passwords in my life and telling me when a company or website that I have an account with has reported a hack.

 

[Weaselboy]

You still must remember the password, but if you forget it, you at least have other options available. (eg store password with Apple,, print out for backup etc)

Not so with EFI based.

Actually that command line tool @KALLT mentioned can create a recovery key.

firmwarepassword -unlockseed

 

[Ambrosia7177]

You started this thread by asking a question. Coming from you, we should have realized it wasn't really a question, but an irrefutable statement. Once more, I regret being suckered into one of your threads.

But in parting... Why don't you perform your own experiment? Set an EFI passcode, and then see if you can deploy the Thunderbolt 2 attack (or any other documented hack) to defeat it. We'd love to know how that works out.

Why be like that? Such anger from some of you...

My position is that from what I've read hacking the EFI is much easier than what you'd think. Prior to reading about the many EFI attacks out there, I was under the assumption that if you used an EFI password and FileVault 2 then your Mac was impenetrable even by the NSA.

Now I question how effective an EFI password is, that's all.

As far as your comment about FileVault 2, you're missing a key point... When you boot up with an infected EFI, and you unlock FileVault 2, you most certainly do expose all of your data to whatever the EFI hack is!! (Hint: That is how the CIA and NSA hack people's computers! Encrypted data at rest *is* secure, but once you boot up with a compromised EFI you are toast!)

I'm just trying to figure out how to stay ahead of the gov't and super hackers with regards to EFI vulnerabilities.

Apparently that is a crime to some of you...

 

[ZapNZs]

I've used it as an attempt at making it harder to disable Find My Mac, as a PRAM reset will disable FMM. I'm sure it is something that someone somewhere can easily bypass, but it hopefully makes it one step more difficult in addition to the use of FV2.