Firmware password not secured?

blackbirdz · Dec 25, 2016

I want to secure my Mac so that even me or our NSA friend would not be able to login without correct password. I thought firmware password is secured, but Apple said:

If you can't remember the password you set using the Firmware Password Utility or Find My Mac, schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider. Bring your proof of purchase (original receipt or invoice) with you.

It sounds like the procedure is very easy so long you have receipt, Apple service provider could open it. Is there anyway to make MacOS like iOS? If password is forgotten, even Apple won't be able to open it (not sure whether this is true or not, but it's much more secure than providing receipt).

Any feedback?

KALLT · Dec 25, 2016

You want to use FileVault disk encryption, not so much the firmware password.

fisherking · Dec 25, 2016

i always had a firmware protection on my powerbooks, macbooks. but this year, i couldn't get in to recovery on my 2015 macbook pro, and wound up taking it to an apple store, & having them remove the FW password. will not try that again....

psik · Dec 25, 2016

fisherking said:
i always had a firmware protection on my powerbooks, macbooks. but this year, i couldn't get in to recovery on my 2015 macbook pro, and wound up taking it to an apple store, & having them remove the FW password. will not try that again....

this dont make sense

fisherking · Dec 25, 2016

psik said:
this dont make sense

i could not get past the firmware protect window; the cursor would freeze before i could either move to the input window (for my password), or freeze as soon as i typed a letter or 2. and since i couldn't get in, i could not reinstall the OS.

i tried any number of things, finally called apple. they sent me to an applestore, where (armed with my purchase receipt), they kept my MBP for 2 days, and removed the firmware protect.

am sure this is an isolated incident, and i never had a problem previously (i've owned macbooks/powerbooks since the 2400c).

bcave098 · Dec 25, 2016

KALLT said:
You want to use FileVault disk encryption, not so much the firmware password.

+1
Especially considering taking the hard drive and putting it in another computer is an easy workaround for a firmware password.

xraydoc · Dec 26, 2016

bcave098 said:
+1
Especially considering taking the hard drive and putting it in another computer is an easy workaround for a firmware password.

Unless you have one of the new MBPs with non-removable SSDs.

zaxxon72 · Dec 27, 2016

xraydoc said:
Unless you have one of the new MBPs with non-removable SSDs.

And for those, Apple added a connector on the board so they can be accessed from another machine.

xraydoc · Dec 27, 2016

zaxxon72 said:
And for those, Apple added a connector on the board so they can be accessed from another machine.

True. But my understanding is that, at least thus far, the equipment required is entirely proprietary.

Undecided · Dec 27, 2016

blackbirdz said:
I want to secure my Mac so that even me or our NSA friend would not be able to login without correct password.

Hardening your personal computer against the NSA is an unrealistic goal, I believe. Especially since all bets are off once the attacker has physical access. Better to just stop the common thief.

The firmware password will just prevent booting from a different drive, which is what would typically be done to wipe an encrypted internal drive and have a new, clean computer. Filevault, of course, prevents access to your data, so that's essential.

Bottom line: if you want to protect your data, use Filevault. If you want to turn the device into dead weight if it's stolen, use a firmware password (and FileVault). As you know, the firmware password can be reset, so know your serial number and report it as stolen to Apple. That way, it can be intercepted if they bring it to Apple to reset the firmware password. (There are also third party tools, but a common thief won't have them, I don' think.) Frankly, I wish the firwware password and FileVault were required - that might discourage theft once word got out.

chabig · Dec 27, 2016

Undecided said:
Bottom line: if you want to protect your data, use Filevault. If you want to turn the device into dead weight if it's stolen, use a firmware password (and FileVault).

This is exactly right, and very well said.

fisherking · Dec 27, 2016

Undecided said:
Hardening your personal computer against the NSA is an unrealistic goal, I believe. Especially since all bets are off once the attacker has physical access. Better to just stop the common thief.

The firmware password will just prevent booting from a different drive, which is what would typically be done to wipe an encrypted internal drive and have a new, clean computer. Filevault, of course, prevents access to your data, so that's essential.

Bottom line: if you want to protect your data, use Filevault. If you want to turn the device into dead weight if it's stolen, use a firmware password (and FileVault). As you know, the firmware password can be reset, so know your serial number and report it as stolen to Apple. That way, it can be intercepted if they bring it to Apple to reset the firmware password. (There are also third party tools, but a common thief won't have them, I don' think.) Frankly, I wish the firwware password and FileVault were required - that might discourage theft once word got out.

apple will only reset the firmware password if either a: you bought your mac from apple, or b: you bring in proof of purchase (which is what i had to do). so a stolen mac brought to an applestore would never get the FW password reset...

KALLT · Dec 27, 2016

“Undecided said:
Frankly, I wish the firwware password and FileVault were required - that might discourage theft once word got out.

I was hoping that the introduction of the Secure Enclave on the new MacBook Pros would be a step towards this, but it seems that this is not the case. At least Apple has not advertised this so far.

Weaselboy · Dec 28, 2016

fisherking said:
apple will only reset the firmware password if either a: you bought your mac from apple, or b: you bring in proof of purchase (which is what i had to do). so a stolen mac brought to an applestore would never get the FW password reset...

I don't think Apple tracks stolen Macs. At least from what I have read I have not seen any evidence that they track them. Even Apple's support doc here just tells you to report it to the police.

Another flaw in this is there are eBay sellers who will reset the EFI for you. I have been skeptical if this works, but the two I see on there now have a bunch of favorable reviews and I have seen forum posts here from people who successfully used these services.

I notice both the sellers are saying their method no longer works on 2015 and newer models though.

fisherking · Dec 28, 2016

either way, apple itself will not reset a firmware password without proof of purchase...

Search

Search

Firmware password not secured?

blackbirdz

macrumors member

KALLT

macrumors 603

fisherking

macrumors G4

psik

macrumors 6502

fisherking

macrumors G4

bcave098

macrumors 6502a

xraydoc

Contributor

zaxxon72

macrumors member

xraydoc

Contributor

Undecided

macrumors 6502a

chabig

macrumors G4

fisherking

macrumors G4

KALLT

macrumors 603

Weaselboy

Moderator

fisherking

macrumors G4

Our Staff