Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

is there a way to prevent OSX from automounting an iphone?

zimv20

zimv20

macrumors 601
Original poster
Jul 18, 2002
4,402
11
toronto
yesterday, a stranger thought it perfectly cool to plug his iphone into my work macbook when i wasn't looking. in all honesty, i think he is just a clueless twit who wanted a charge, but i was horrified all the same.

i've run a full system scan with ClamXAV, plus used some other tools from Objective-See.

what i would like is to configure my machine so that anything plugged in does not automount, and i would then get a chance to proceed w/ mounting or reject it.

i tried Disk Arbitrator on my home laptop as a test, but it doesn't work correctly:

1. even when enabled and set to Block Mounts, it happily mounted my iphone (indeed, it was the *iphone* that asked to trust the *computer*)
2. though an inserted USB stick did get blocked, it did not mount properly when i used DA to tell it to mount

am i using DA incorrectly? am i incorrectly assuming that a tool that blocks automount of drives shouldn't necessarily do the same for a phone? is there another solution? keep in mind this is for strange devices, so i would not know any IDs ahead of time such that i could use the FS table, per this solution.

my work laptop is on High Sierra (10.13.13).
my home laptop is on El Cap.
 
Why freak out over an iPhone being connected? They can't transfer data to the Mac outside of iTunes sync or Photos. It's not like arbitrary code could've been run on the computer.

I get wanting to block USB devices from mounting in general though. I haven't been able to find any info on that in any of the man pages I've consulted though
 
zimv20 said:
is that true? i've been lead to believe this is an attack vector.
Click to expand...


From a normal flash drive, yes that risk exists. From an iPhone, no. The OS handles the phone differently. - There may be ways of getting around it on jailbroken devices, but I've never heard of it.

With regular flash drives, there are tangible risks to consider.... Hell, there may be issues like what KDE experienced not super long ago, where even just the name of an exFAT flash drive could be a command that would then run.
 
ok, we agree that it's a risk having a laptop in an open environment where someone can wander by and insert a USB drive. so far, Disk Arbitrator is the best free utility i've found. but it doesn't work perfectly and i'd like to know what else is available. if i can also block automount of phones, that's even better.
 
Mr_Brightside_@ said:
By what? I don't know that this is accurate.
Click to expand...
let's separate what's possible from what's likely.

is it likely that the phone from yesterday could install malware on my macbook? no.

is it possible that there exists a phone that could do so? or to put it this way: do i trust apple's engineers enough that they have created something that none of, say, the NSA, FBI, or GRU could defeat? no, i do not trust apple's engineers to that extent.

again, i do not think it's likely, at all, that i faced that yesterday. but i do work in an open environment and everyone here leaves their machines unattended to go to lunch, etc. Since i rarely plug anything into the macbook, vs the massive opportunities that exist for anyone to come by and access a USB port w/o me looking, i think it's a reasonable security measure to disable automount. for everything coming through the USB port, phone or otherwise.
 
zimv20 said:
i have filevault enabled and don't know much about firmware password. how would it help in this instance?
Click to expand...

A firmware password prevents any kind of external drive, USB, or whatever from making changes to your hard drive, password, etc. Remember, FileVault does not protect you if someone gains access to your machine while it's on and you are signed in. You can read about what a firmware password does from Apple in their KB.
 
zimv20 said:
what i would like is to configure my machine so that anything plugged in does not automount, and i would then get a chance to proceed w/ mounting or reject it.
Click to expand...

What do you mean by "automount" in this situation? What did you see happen on the computer? Did iTunes open?

If that is the issue you can prevent that in iTunes>Preferences>Devices. Check the box labeled "Prevent iPods, iPhones, and iPads from syncing automatically".

I have always kept this checked and iTunes does not open when a phone is connected, not does anything else happen.
 
MDM Profiles can limit drive mounting, or require authentication. Not sure it would prevent the iPhone, but should prevent any external from mounting until approved/authenticated.

The challenge is generating a Profile if you don't have access to Profile Manager built into Server:
Screen Shot 2018-02-27 at 3.32.18 PM.png
....

...Perhaps it is also possible to change a preference via defaults write?
 
  • Like
Reactions: Mr_Brightside_@
NoBoMac said:
USB, even with auto mount off is vulnerable. USB is vulnerable at the HW/firmware level, not OS.
Click to expand...
great point and good read. thanks for the link.
[doublepost=1519786886][/doublepost]
chscag said:
FileVault does not protect you if someone gains access to your machine while it's on and you are signed in.
Click to expand...
yep, good point. thanks for the reminder.
[doublepost=1519786940][/doublepost]
Mike Boreham said:
What do you mean by "automount" in this situation? What did you see happen on the computer? Did iTunes open?

If that is the issue you can prevent that in iTunes>Preferences>Devices. Check the box labeled "Prevent iPods, iPhones, and iPads from syncing automatically".
Click to expand...
didn't know about that option, thanks for pointing it out.
[doublepost=1519787040][/doublepost]
hobowankenobi said:
The challenge is generating a Profile if you don't have access to Profile Manager built into Server:
Click to expand...
can you elaborate? unsure what you mean here.
 
Well, for those unfamiliar with Profiles, they are easy to use, but to be created, one needs Profile Manager (a feature of MacOS Server), or some other third party tool create a profile.

But, to the point, profiles have the option to require authentication to mount all external drives...which would remove the risk of anybody plugging an infected anything into a Mac, and have it auto-mount.
 
zimv20 said:
let's separate what's possible from what's likely.

is it likely that the phone from yesterday could install malware on my macbook? no.

is it possible that there exists a phone that could do so? or to put it this way: do i trust apple's engineers enough that they have created something that none of, say, the NSA, FBI, or GRU could defeat? no, i do not trust apple's engineers to that extent.

again, i do not think it's likely, at all, that i faced that yesterday. but i do work in an open environment and everyone here leaves their machines unattended to go to lunch, etc. Since i rarely plug anything into the macbook, vs the massive opportunities that exist for anyone to come by and access a USB port w/o me looking, i think it's a reasonable security measure to disable automount. for everything coming through the USB port, phone or otherwise.
Click to expand...


You're right on here. Regarding phones, at least a non-jailbroken iPhone I would say is not a risk at all, and I'm as much a security looney as anyone. Jailbroken iPhones I don't know about - and other phones - might as well be generic USB devices.

Someone else mentioned a firmware password, and I didn't realise it did any securing when you're already logged in - I thought it was only for booting, but to set one you boot into recovery mode and select the Firmware Password utility from the menu bar. Forgetting it will render the computer entirely useless though, so don't
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back