Target Disk Mode & Security

Let's Sekuhara! · Aug 4, 2008

I recently was surprised to learn that Target Disk Mode doesn't prompt for a password, even if a password is normally required to log in to that computer.

So after doing some research I've come to realize that in order to fully secure the data on my machine I will need to set an open firmware password.

This page explains the process for setting such a password.
http://support.apple.com/kb/HT1352

But if I do this is it going to prompt me for the firmware password in addition an account password every time I start up my computer? Because that would be annoying.

Also, is there anything else I should know before going ahead with this? I find it strange that it's not a setting that can be changed in System Prefs, and even more unusual that (in Leopard at least) it requires booting from the install disc to set the password. Am I understanding this correctly?

EricNau · Aug 4, 2008

You can bypass an account password by enabling "Automatic login" in System Preferences > Accounts > Login Options.

iShater · Aug 4, 2008

EricNau said:
You can bypass an account password by enabling "Automatic login" in System Preferences > Accounts > Login Options.

Which is a very bad idea, especially that most people have their main account with admin privileges.

Vote NO to Automatic Login!

Tosser · Aug 4, 2008

Before you go the route of using open firmware password protection, you might want to consider this:

blocks the ability to use the "C" key to start up from a CD-ROM disc.
blocks the ability to use the "N" key to start up from a NetBoot server.
blocks the ability to use the "T" key to start up in Target Disk Mode (on computers that offer this feature).
blocks the ability to start up in Verbose mode by pressing the Command-V key combination during startup.
block the ability to start up a system in Single-user mode by depressing the Command-S key combination during startup.
blocks a reset of Parameter RAM (PRAM) by pressing the Command-Option-P-R key combination during startup.
requires the password to use the Startup Manager, accessed by pressing the Option key during startup (Figure 1).
requires the password to enter commands after starting up in Open Firmware, which is done by depressing the Command-Option-O-F key combination during startup.

Well, I thought you might wanted to know.

EricNau · Aug 4, 2008

iShater said:
Which is a very bad idea, especially that most people have their main account with admin privileges.

Vote NO to Automatic Login!

Which is not a problem if you have a firmware password enabled.

Let's Sekuhara! · Aug 5, 2008

OK, so I can just use auto-login in conjunction with a firmware pswd and there will be just one pswd to type. Good.

I've booted from a disc using the "C" key maybe once in my life.
I don't know what a NetBoot server is, so I'm sure I won't need the "N" key command.
I don't think I've ever used Verbose mode, nor can I recall what it is.
I've never had to reset the PRAM.
I don't know exactly what the Startup Manager does.

So I won't need to use any of those features. But I will need to use Target Disk Mode. Here's the deciding factor: does it completely forbid the use of those features or does it simply require that you enter the firmware password in order to use them?

EricNau · Aug 5, 2008

You might want to read this article: Link

Based on my interpretation, it completely blocks the use of those features.

BaldiMac · Aug 5, 2008

A firmware password is not going to "fully secure the data" on your machine. The data would remain unencrypted.

To encrypt your data, simply enable FileVault for your home folder.

kolax · Aug 5, 2008

Anyone could unhook the hard drive from your Mac and mount it if they wanted to (assuming you had valuable data on it and it got nicked).

File vault I don't know too much about - it caused slowdowns in previous versions of OSX, and I've never used it myself.

durija · Aug 5, 2008

Maybe there is a totally different to accomplish your goal. How much of your data is that sensitive? Maybe you could put it all in a sparseimage. I don't think there is any way to break into a sparse image without the password. I'm sure someone will correct me if I am wrong.

mkrishnan · Aug 5, 2008

durija said:
Maybe there is a totally different to accomplish your goal. How much of your data is that sensitive? Maybe you could put it all in a sparseimage. I don't think there is any way to break into a sparse image without the password. I'm sure someone will correct me if I am wrong.

An AES-256 sparse image uses the same encryption that Filevault does, so yes, it's generally just as secure for data inside it. You just have to make sure nothing you consider sensitive is stored outside, e.g. in your library folder (caches, etc). If security is a legitimate issue (HIPAA, legal concerns, etc), Filevault plus the other related security options (secure VM, etc) are the best option.

alphaod · Aug 5, 2008

Whatever encryption you use, don't forget to keep your private keys safe.

Let's Sekuhara! · Aug 5, 2008

Kilamite said:
Anyone could unhook the hard drive from your Mac and mount it if they wanted to (assuming you had valuable data on it and it got nicked).

File vault I don't know too much about - it caused slowdowns in previous versions of OSX, and I've never used it myself.

Yeah, if File Vault causes slow downs it's out of the question. I guess I'm just surprised that it's not easier to protect your data. There's not much point in having a password on your account at all if Target Disk Mode is a back door that any Mac user with a firewire cable can use to bypass it.

I'm not keeping legally sensitive data or govt secrets or anything. It's just that I like to store my passwords in my web browser. That includes passwords to my email and bank account etc. So if I can secure my OS X user account then I don't have to remember 15billion passwords in order protect myself. Hence Target Disk Mode vulnerability concerns me.

Am I the only one?

durija · Aug 5, 2008

I keep passwords and in a spread sheet and put them inside a sparseimage. That might work for you as well, OP

Let's Sekuhara! · Aug 5, 2008

alphaod said:
Whatever encryption you use, don't forget to keep your private keys safe.

That brings up a good point. Yes, if there is a practical way to keep just my stored passwords safe then I wouldn't need to be as concerned. Any advice on best practices for that?

kolax · Aug 5, 2008

Let's Sekuhara! said:
That brings up a good point. Yes, if there is a practical way to keep just my stored passwords safe then I wouldn't need to be as concerned. Any advice on best practices for that?

For my bank password, I have a few small letters about the wall of my room, left to right in random places.

Lot of effort, but no one could even see them unless they knew where to look. And there is like 15 of them!

iShater · Aug 5, 2008

Umm ... Keychain might be what you are looking for.

I use FileVault, while I am sure it adds some overhead, my system is still running fine, and I feel better that if it gets lost/stolen, my passwords/quicken/etc. won't be easy reading for anybody.

There is a balance between security and convenience, and you have to find the balance that makes you happy. MacWorld had a whole security article a few months back, they went into details about all this stuff.

Search

Search

Target Disk Mode & Security

Let's Sekuhara!

macrumors 6502

EricNau

Moderator emeritus

iShater

macrumors 604

Tosser

macrumors 68030

EricNau

Moderator emeritus

Let's Sekuhara!

macrumors 6502

EricNau

Moderator emeritus

BaldiMac

macrumors G3

kolax

macrumors G3

durija

macrumors 6502

mkrishnan

Moderator emeritus

alphaod

macrumors Core

Let's Sekuhara!

macrumors 6502

durija

macrumors 6502

Let's Sekuhara!

macrumors 6502

kolax

macrumors G3

iShater

macrumors 604

Our Staff