is there a way to prevent OSX from automounting an iphone?

zimv20 · Feb 27, 2018

yesterday, a stranger thought it perfectly cool to plug his iphone into my work macbook when i wasn't looking. in all honesty, i think he is just a clueless twit who wanted a charge, but i was horrified all the same.

i've run a full system scan with ClamXAV, plus used some other tools from Objective-See.

what i would like is to configure my machine so that anything plugged in does not automount, and i would then get a chance to proceed w/ mounting or reject it.

i tried Disk Arbitrator on my home laptop as a test, but it doesn't work correctly:

1. even when enabled and set to Block Mounts, it happily mounted my iphone (indeed, it was the *iphone* that asked to trust the *computer*)
2. though an inserted USB stick did get blocked, it did not mount properly when i used DA to tell it to mount

am i using DA incorrectly? am i incorrectly assuming that a tool that blocks automount of drives shouldn't necessarily do the same for a phone? is there another solution? keep in mind this is for strange devices, so i would not know any IDs ahead of time such that i could use the FS table, per this solution.

my work laptop is on High Sierra (10.13.13).
my home laptop is on El Cap.

casperes1996 · Feb 27, 2018

Why freak out over an iPhone being connected? They can't transfer data to the Mac outside of iTunes sync or Photos. It's not like arbitrary code could've been run on the computer.

I get wanting to block USB devices from mounting in general though. I haven't been able to find any info on that in any of the man pages I've consulted though

zimv20 · Feb 27, 2018

casperes1996 said:
It's not like arbitrary code could've been run on the computer.

is that true? i've been lead to believe this is an attack vector.

casperes1996 · Feb 27, 2018

zimv20 said:
is that true? i've been lead to believe this is an attack vector.

From a normal flash drive, yes that risk exists. From an iPhone, no. The OS handles the phone differently. - There may be ways of getting around it on jailbroken devices, but I've never heard of it.

With regular flash drives, there are tangible risks to consider.... Hell, there may be issues like what KDE experienced not super long ago, where even just the name of an exFAT flash drive could be a command that would then run.

zimv20 · Feb 27, 2018

ok, we agree that it's a risk having a laptop in an open environment where someone can wander by and insert a USB drive. so far, Disk Arbitrator is the best free utility i've found. but it doesn't work perfectly and i'd like to know what else is available. if i can also block automount of phones, that's even better.

chscag · Feb 27, 2018

Install a firmware password on your MacBook. However, make sure you don't forget it.

zimv20 · Feb 27, 2018

chscag said:
Install a firmware password on your MacBook. However, make sure you don't forget it.

i have filevault enabled and don't know much about firmware password. how would it help in this instance?

Mr_Brightside_@ · Feb 27, 2018

zimv20 said:
is that true? i've been lead to believe this is an attack vector.

By what? I don't know that this is accurate.

zimv20 · Feb 27, 2018

Mr_Brightside_@ said:
By what? I don't know that this is accurate.

let's separate what's possible from what's likely.

is it likely that the phone from yesterday could install malware on my macbook? no.

is it possible that there exists a phone that could do so? or to put it this way: do i trust apple's engineers enough that they have created something that none of, say, the NSA, FBI, or GRU could defeat? no, i do not trust apple's engineers to that extent.

again, i do not think it's likely, at all, that i faced that yesterday. but i do work in an open environment and everyone here leaves their machines unattended to go to lunch, etc. Since i rarely plug anything into the macbook, vs the massive opportunities that exist for anyone to come by and access a USB port w/o me looking, i think it's a reasonable security measure to disable automount. for everything coming through the USB port, phone or otherwise.

NoBoMac · Feb 27, 2018

Understand the concerns, but, USB, even with auto mount off is vulnerable. USB is vulnerable at the HW/firmware level, not OS.

https://arstechnica.com/information...uters-badusb-exploit-makes-devices-turn-evil/

In a different article, I recall author stating short of putting glue into your USB ports or disabling in some other way, there is no securing USB.

chscag · Feb 27, 2018

zimv20 said:
i have filevault enabled and don't know much about firmware password. how would it help in this instance?

A firmware password prevents any kind of external drive, USB, or whatever from making changes to your hard drive, password, etc. Remember, FileVault does not protect you if someone gains access to your machine while it's on and you are signed in. You can read about what a firmware password does from Apple in their KB.

Mike Boreham · Feb 27, 2018

zimv20 said:
what i would like is to configure my machine so that anything plugged in does not automount, and i would then get a chance to proceed w/ mounting or reject it.

What do you mean by "automount" in this situation? What did you see happen on the computer? Did iTunes open?

If that is the issue you can prevent that in iTunes>Preferences>Devices. Check the box labeled "Prevent iPods, iPhones, and iPads from syncing automatically".

I have always kept this checked and iTunes does not open when a phone is connected, not does anything else happen.

hobowankenobi · Feb 27, 2018

MDM Profiles can limit drive mounting, or require authentication. Not sure it would prevent the iPhone, but should prevent any external from mounting until approved/authenticated.

The challenge is generating a Profile if you don't have access to Profile Manager built into Server:

Screen Shot 2018-02-27 at 3.32.18 PM.png

....

...Perhaps it is also possible to change a preference via defaults write?

zimv20 · Feb 27, 2018

NoBoMac said:
USB, even with auto mount off is vulnerable. USB is vulnerable at the HW/firmware level, not OS.

great point and good read. thanks for the link.
[doublepost=1519786886][/doublepost]

chscag said:
FileVault does not protect you if someone gains access to your machine while it's on and you are signed in.

yep, good point. thanks for the reminder.
[doublepost=1519786940][/doublepost]

Mike Boreham said:
What do you mean by "automount" in this situation? What did you see happen on the computer? Did iTunes open?

If that is the issue you can prevent that in iTunes>Preferences>Devices. Check the box labeled "Prevent iPods, iPhones, and iPads from syncing automatically".

didn't know about that option, thanks for pointing it out.
[doublepost=1519787040][/doublepost]

hobowankenobi said:
The challenge is generating a Profile if you don't have access to Profile Manager built into Server:

can you elaborate? unsure what you mean here.

hobowankenobi · Feb 28, 2018

Well, for those unfamiliar with Profiles, they are easy to use, but to be created, one needs Profile Manager (a feature of MacOS Server), or some other third party tool create a profile.

But, to the point, profiles have the option to require authentication to mount all external drives...which would remove the risk of anybody plugging an infected anything into a Mac, and have it auto-mount.

casperes1996 · Mar 1, 2018

zimv20 said:
let's separate what's possible from what's likely.

is it likely that the phone from yesterday could install malware on my macbook? no.

is it possible that there exists a phone that could do so? or to put it this way: do i trust apple's engineers enough that they have created something that none of, say, the NSA, FBI, or GRU could defeat? no, i do not trust apple's engineers to that extent.

again, i do not think it's likely, at all, that i faced that yesterday. but i do work in an open environment and everyone here leaves their machines unattended to go to lunch, etc. Since i rarely plug anything into the macbook, vs the massive opportunities that exist for anyone to come by and access a USB port w/o me looking, i think it's a reasonable security measure to disable automount. for everything coming through the USB port, phone or otherwise.

You're right on here. Regarding phones, at least a non-jailbroken iPhone I would say is not a risk at all, and I'm as much a security looney as anyone. Jailbroken iPhones I don't know about - and other phones - might as well be generic USB devices.

Someone else mentioned a firmware password, and I didn't realise it did any securing when you're already logged in - I thought it was only for booting, but to set one you boot into recovery mode and select the Firmware Password utility from the menu bar. Forgetting it will render the computer entirely useless though, so don't

Search

Search

is there a way to prevent OSX from automounting an iphone?

zimv20

macrumors 601

casperes1996

macrumors 604

zimv20

macrumors 601

casperes1996

macrumors 604

zimv20

macrumors 601

chscag

macrumors 601

zimv20

macrumors 601

Mr_Brightside_@

macrumors 68040

zimv20

macrumors 601

NoBoMac

Moderator

chscag

macrumors 601

Mike Boreham

macrumors 68040

hobowankenobi

macrumors 68020

zimv20

macrumors 601

hobowankenobi

macrumors 68020

casperes1996

macrumors 604

Our Staff