EFI Password: Is It Worth It?

[doubledee]

My new 13" cMBP just arrived today, and my goal is to have a SUPER SECURE laptop when it is all set-up. (The kind that makes NSA agents weep!!)

I have been researching this "EFI Password" thingy, and have been reading/getting mixed signals on this topic.

This article from CNET seems to be the most up-to-date and accurate...

EFI firmware protection locks down newer Macs

...but it still leaves me with questions and feeling somewhat confused.


Questions:

1.) What exactly is the purpose of setting up an EFI Password?


2.) What extra security does an EFI Password offer me?

(In the past, I was told it would protect against what I believe is called a "Fire-Wire/Memory Attack".)


3.) What risks do I run setting up an EFI Password?

(Assuming it is a short PIN, I'm not worried about forgetting it.)


When I set up my new 2012 (?) cMBP, I plan on doing the following things...

- Using File Vault 2 for FDE

- Using "Pass Phrases"

- Doing the standard things to lock things down in System Preferences


However one area that I am fearful of are "Memory Attacks" or things that could happen when my laptop is running with the Screen-Saver Lock on...

In summary, I want to do whatever it takes to have "Industrial-Strength Security" on my cMBP, but I also don't want to do things that could cause me grief (e.g. Complete System Lock-out, Having to give my cMBP to Apple when something gets corrupted)!!

Sincerely,


Debbie

 

[Weaselboy]

Questions:

1.) What exactly is the purpose of setting up an EFI Password?

It stops anybody from booting your Mac from anything but the internal drive. So if someone pops in a bootable USB key to try and boot your Mac, it would not work.

2.) What extra security does an EFI Password offer me?

Related to #1... by blocking all other boot sources nobody would be able to boot to another disk to potentially use hacking tools on your machine.

(In the past, I was told it would protect against what I believe is called a "Fire-Wire/Memory Attack".)

That is outdated information. What you are referring to is direct memory access (DMA). DMA access on Macs has been blocked starting with Lion 10.7.2. Nobody will be able to use DMA to access passwords on your machine.

3.) What risks do I run setting up an EFI Password?

(Assuming it is a short PIN, I'm not worried about forgetting it.)

That's about it... if your forget the EFI PW, it means a trip to the Apple Store to get it reset.

However one area that I am fearful of are "Memory Attacks" or things that could happen when my laptop is running with the Screen-Saver Lock on...

See my comment above on DMA. Not possible on your machine.

In summary, I want to do whatever it takes to have "Industrial-Strength Security" on my cMBP, but I also don't want to do things that could cause me grief (e.g. Complete System Lock-out, Having to give my cMBP to Apple when something gets corrupted)!!

I have never seen or heard of an EFI PW getting corrupted or causing anybody that type of trouble.

====

A bit of clarification on terminology though. You mentioned a "PIN". There has been some confusion with EFI and passwords vs. a PIN.

When you set the EFI password, you will be prompted to enter a password. It can be whatever you want and any combo of numbers and letters. This is your EFI password.

Now let's talk about an EFI PIN. As part of iCloud you have Find my Mac. The idea is if someone steals your machine and logs onto the Internet, you could see where the machine is using Find my Mac. One of the features of Find my Mac is you can use it to lock down a stolen device. So if you login to icloud.com (from another machine) and click on Find my Mac you will see an option to "lock" the stolen Mac. If you click that you will be asked for a four digit PIN. The next time the thief gets on the Internet the stolen machine is going be locked down with that PIN.

So let's say the police find your machine. When you go to use it you will get a screen (below) saying this machine is locked and a prompt for the four digit PIN you entered when you locked the machine. When you enter that PIN, the machine will unlock and you can resume use.

This PIN does reside in EFI, but it is not the same as your EFI password. Two different things for two different purposes.

 

[doubledee]

Weaselboy, you're such a brainiac!!!

It stops anybody from booting your Mac from anything but the internal drive. So if someone pops in a bootable USB key to try and boot your Mac, it would not work.

Related to #1... by blocking all other boot sources nobody would be able to boot to another disk to potentially use hacking tools on your machine.

So, bootable drives are an "attack vector"?

Not to go off on too much of a tangent, but how exactly would that work?

For instance, if my computer was shut off, what could they do?

And if my computer was running with the screen-saver lock on, what could they do?

That is outdated information. What you are referring to is direct memory access (DMA).

DMA access on Macs has been blocked starting with Lion 10.7.2. Nobody will be able to use DMA to access passwords on your machine.

Is that 100% certain?

(Seems too easy...)

That's about it... if your forget the EFI PW, it means a trip to the Apple Store to get it reset.

If that happened, what would be the steps to recover things?

More so, what risk do I have that Apple would get access to my data?

If I was using File Vault 2, and lost my EFI Password, then would I have to cough up my Username, Password, etc to the Apple Techs to get things working again?

(I've always resolved in my mind that once I put data on my laptop, I'll never turn it over to a Tech...)

See my comment above on DMA. Not possible on your machine.

What exactly is an EFI Password "locking"?

Is it locking stuff on my cMBP's motherboard/chipset?

Or just on my HDD?

I have never seen or heard of an EFI PW getting corrupted or causing anybody that type of trouble.

Okay.

====
A bit of clarification on terminology though. You mentioned a "PIN". There has been some confusion with EFI and passwords vs. a PIN.

When you set the EFI password, you will be prompted to enter a password. It can be whatever you want and any combo of numbers and letters. This is your EFI password.

What is a reasonable EFI Password "strategy"?

Do I need to get all fancy with special characters and Pass-Phrases?

Or could it just be a 4-digit number?

Now let's talk about an EFI PIN. As part of iCloud you have Find my Mac. The idea is if someone steals your machine and logs onto the Internet, you could see where the machine is using Find my Mac. One of the features of Find my Mac is you can use it to lock down a stolen device. So if you login to icloud.com (from another machine) and click on Find my Mac you will see an option to "lock" the stolen Mac. If you click that you will be asked for a four digit PIN. The next time the thief gets on the Internet the stolen machine is going be locked down with that PIN.

So let's say the police find your machine. When you go to use it you will get a screen (below) saying this machine is locked and a prompt for the four digit PIN you entered when you locked the machine. When you enter that PIN, the machine will unlock and you can resume use.

I'm not familiar with iCloud...

Do I have to buy that?

Also, it sounds pretty freaky how Apple can track your Mac...

Sounds worse than what the NSA is up to!!

Does that mean that Apple can track me wherever I go with my cMBP???

This PIN does reside in EFI, but it is not the same as your EFI password. Two different things for two different purposes.

Could I opt-out of the EFI PIN and just use the EFI Password to protect against the DMA attack?

Sincerely,


Debbie

 

[Weaselboy]

So, bootable drives are an "attack vector"?

Not to go off on too much of a tangent, but how exactly would that work?

For instance, if my computer was shut off, what could they do?

And if my computer was running with the screen-saver lock on, what could they do?

I have yet to see any reports of anyone able to hack Filevault2 on the new Macs like yours, but the only real way to even attempt it would be to either remove your SSD and mount it on another computer, or boot your computer to another disk like a USB key and then try to run password cracking programs against your drive. You are very safe with just FV2 alone. Having an EFI PW in place just makes it a bit harder for anyone to even be able to attempt cracking your FV2 PW.

Is that 100% certain?

(Seems too easy...)

Yes. If you Google Lion 10.7.2 DMA access, you will find articles written on this topic at the time.

If that happened, what would be the steps to recover things?

More so, what risk do I have that Apple would get access to my data?

If I was using File Vault 2, and lost my EFI Password, then would I have to cough up my Username, Password, etc to the Apple Techs to get things working again?

(I've always resolved in my mind that once I put data on my laptop, I'll never turn it over to a Tech...)

The only way to unlock the EFI PW if you forget it it to take it to the Apple store. They copy a serial number (hash string) from your machine and email it to Apple HQ. They then make a custom boot image that the tech boots from and that unlocks the EFI.

You would not have to give them your FV2 PW.

What exactly is an EFI Password "locking"?

Is it locking stuff on my cMBP's motherboard/chipset?

Or just on my HDD?

It uses the main firmware chip (EFI) to stop booting from other sources.

Even without a EFI PW, you are perfectly safe with FV2 alone. EFI is just an added layer.

What is a reasonable EFI Password "strategy"?

Do I need to get all fancy with special characters and Pass-Phrases?

Or could it just be a 4-digit number?

Entirely up to you. As with any PW, the more random characters and the longer the better.

I'm not familiar with iCloud...

Do I have to buy that?

You can get a free iCloud account from in the iCloud pane in System Prefs. on your Mac.

Also, it sounds pretty freaky how Apple can track your Mac...

Sounds worse than what the NSA is up to!!

Does that mean that Apple can track me wherever I go with my cMBP???

I doubt Apple cares where you are, but hypothetically if they wanted to they could see where you are. It is a trade off between potential privacy issues and security/theft recovery.

Could I opt-out of the EFI PIN and just use the EFI Password to protect against the DMA attack?

You are still confusing terms. Reread what I said earlier about PIN vs. PW. Even with no EFI PW you are protected against DMA access by the OS.

 

[doubledee]

I have yet to see any reports of anyone able to hack Filevault2 on the new Macs like yours, but the only real way to even attempt it would be to either remove your SSD and mount it on another computer, or boot your computer to another disk like a USB key and then try to run password cracking programs against your drive. You are very safe with just FV2 alone. Having an EFI PW in place just makes it a bit harder for anyone to even be able to attempt cracking your FV2 PW.

That aside, what I was asking is how is using an Extrernal Bootable Drive an "attack vector" in general?

I would guess that someone would plug in, say, a USB drive, re-boot, and then somehow try to use the loaded Op Sys to leverage breaking into the laptop's HDD - whether it be a PC or a Mac.

Yes. If you Google Lion 10.7.2 DMA access, you will find articles written on this topic at the time.

Okay, I'll read up on that today. (BTW, people always use "Lion" when I have "Mountain Lion"?! Am I to assume they are interchangeable in the context of the conversation?)

The only way to unlock the EFI PW if you forget it it to take it to the Apple store. They copy a serial number (hash string) from your machine and email it to Apple HQ. They then make a custom boot image that the tech boots from and that unlocks the EFI.

Any idea what that would cost?

And would they do that forever, or after my warranty is up, would I be screwed?

You would not have to give them your FV2 PW.

So my Data would always be safe, right?

It uses the main firmware chip (EFI) to stop booting from other sources.

Even without a EFI PW, you are perfectly safe with FV2 alone. EFI is just an added layer.

Okay.

Entirely up to you. As with any PW, the more random characters and the longer the better.

What do people you know who use EFI Passwords use?

You can get a free iCloud account from in the iCloud pane in System Prefs. on your Mac.

But I am assuming that is sorta like an AppleID in that I do not have to get one if I don't want one, right?

I doubt Apple cares where you are, but hypothetically if they wanted to they could see where you are. It is a trade off between potential privacy issues and security/theft recovery.

Could be part of the "NSA sweep"...

You are still confusing terms. Reread what I said earlier about PIN vs. PW. Even with no EFI PW you are protected against DMA access by the OS.

You misunderstood my question...

I was asking if I could pass/opt-out of having an iCloud Account, and thus also bypass creating an EFI PIN.

I mean it would seem that you could set up an EFI Password, but not set up the iCloud/EFI PIN thingies...

Right?

Or is it "all or none"??

Sincerely,


Debbie

 

[Weaselboy]

That aside, what I was asking is how is using an Extrernal Bootable Drive an "attack vector" in general?

I would guess that someone would plug in, say, a USB drive, re-boot, and then somehow try to use the loaded Op Sys to leverage breaking into the laptop's HDD - whether it be a PC or a Mac.

Exactly. Like I say, I still have never seen or even heard of anybody able to do this, but why not take the extra step. Also, having EFI PW turned on makes your Macbook pretty much into a boat anchor for a thief since you have prevented them from booting to recovery to wipe the drive and start over.

Okay, I'll read up on that today. (BTW, people always use "Lion" when I have "Mountain Lion"?! Am I to assume they are interchangeable in the context of the conversation?)

The reason you see me using Lion in this context is because the DMA block came in Lion version 10.7.2. So any OS X version above 10.7.2 has the patch, including Mountain Lion you have on your new machine.

Any idea what that would cost?

And would they do that forever, or after my warranty is up, would I be screwed?

I have never had to have it done, so don't know cost. I assume they would charge you either in or out of warranty since it is really not s warranty defect.

So my Data would always be safe, right?

Yep.

What do people you know who use EFI Passwords use?

I always use a complex mix of numbers and letters and try not to use dictionary words.

But I am assuming that is sorta like an AppleID in that I do not have to get one if I don't want one, right?

Exactly. iCloud account is totally optional.

You misunderstood my question...

I was asking if I could pass/opt-out of having an iCloud Account, and thus also bypass creating an EFI PIN.

I mean it would seem that you could set up an EFI Password, but not set up the iCloud/EFI PIN thingies...

Right?

Or is it "all or none"??

You do not need an iCloud account if you don't want to Find my Mac feature.

You are still kind of mixing up PIN vs. PW. Even if you setup iCloud and Find my Mac, you would not have a PIN. You would only ever create a PIN if your machine was stolen and you used remote wipe in Find my Mac to lock down your machine. Then and only then would you choose a PIN to lock it down so you could use the same PIN to unlock it if you got it back from the thief.

EFI PW has nothing to do with the PIN. You can use a EFI PW and have the full protection it offers without iCloud.

 

[doubledee]

Also, having EFI PW turned on makes your Macbook pretty much into a boat anchor for a thief since you have prevented them from booting to recovery to wipe the drive and start over.

Good point.

I always use a complex mix of numbers and letters and try not to use dictionary words.

Good idea, but increases the chance you could forget things.


So, some more questions...

1.) When exactly would you need to use the EFI Password?

Is it just to boot from another drive, like if your system crashes, or would I need it for simpler things like patching and installing software?


2.) If I did have to boot off of, say, a "Recovery USB Drive", would I just get a prompt to enter the EFI Password, and then go along my way like normal, or is there more to it than that?


3.) How is the HDD factored into the "EFI Hash"?

My strategy for this new cMBP - hope I'm remembering the steps right - is to clone the factory HDD onto a new HDD which will go into my cMBP, and then keep the factory HDD as backup and/or if I need to take things in to Apple.

If I did that, and I forgot my EFI Password, could I simply re-install my factory HDD and take it back in to Apple for the EFI recovery??

Doing so would truly keep my Data safe, since they'd never have access to it, and maybe it would allow me to get the EFI Password reset???

Follow me?

Exactly. iCloud account is totally optional.

Good.

You do not need an iCloud account if you don't want to Find my Mac feature.

What would happen if I did NOT set up an iCloud account, my new cMBP was stolen, and then I wanted to leverage that service?

Could I set up an iCloud account on my already stolen cMBP and still benefit from its "Find My Mac" service?

(I know that may be a dumb question?!)

You are still kind of mixing up PIN vs. PW. Even if you setup iCloud and Find my Mac, you would not have a PIN. You would only ever create a PIN if your machine was stolen and you used remote wipe in Find my Mac to lock down your machine. Then and only then would you choose a PIN to lock it down so you could use the same PIN to unlock it if you got it back from the thief.

Oh, okay. I thought you set the EFI PIN up front, and not after-the-fact.

(BTW, you used the term "EFI PIN" above. Now you are just saying "PIN". So I was only following your terminology from earlier...)


So, if iCloud offers this "Find My Mac" service, it seems like it should be able to GPS your unit and not only lock it from the thief, but possibly get coordinates of where it is physically located?! Is that possible??

EFI PW has nothing to do with the PIN. You can use a EFI PW and have the full protection it offers without iCloud.

Okay.

Thanks,


Debbie