To understand how a MBP thief operates?

[metsomaniac]

My MBP was stolen the other week, a late 2011 model. I had a firmware password set up and orbicule undercover software installed.

Having researched online you can't bypass the firmware security settings on the late 2011 model by removing a ram chip and resetting the pram 3 times.

So it got me wondering how who ever it was who stole my mbp has managed to evade being discovered? Or simply put, make use of some body else's MBP.

Would itbe as simple as to simply replace the hard drive and then you have yourself a new mac, or does the firmware password prevent this?, alas if you did replace the hard drive, with a new hard drive with a fully operational osx system preinstalled would you be able to operate the computer and login without having to enter a firmware password?

I'd appreciate your comments as I'm hoping this will help me & others reading make security considerations on the new MBP I'm about to buy.

 

[seong]

Unless you have a GPS chip installed in your Macbook Pro, I don't think there will be that big of a chance to find and get your Macbook Pro back.
It's as easy as this (I do this a lot since I buy and sell used Macbooks since it's a lot cheaper);

1. Buy a used Macbook Air.
2. Start the machine, and hold 'alt' key for a few sec.
3. Open up the other partition for recovery (available since 10.7)
4. Select the HDD at Disk Utility, and erase the data.
5. Go ahead and install a clean version of Lion/Mountain Lion.
6. Done!

Now, I have no clue about firmware password, but I'm assuming its something similar to firewall password thingy. Anyways, if the thief obtains a Mac laptop, then s/he could have followed these normal steps, and s/he will be able to sell or use a newly stolen laptop as if nothing happened.
Hope you can find this thief asap. If you have a serial number of your Macbook Pro (from your original box or a receipt) then you can report to Apple as 'stolen.'

 

[metsomaniac]

Apple do not record serial numbers of stolen items, too much administrative cosequences, which is a shame because it would help the victim feel slightly better about the possibility of the thief going into an apple store with your laptop and expecting to get help from one of their geniuses to reset the firmware password.

If Apple are worried about false claims etc, Apple should record serial numbers that have a valid police report!

Anyhow this is my main topic, I'm wondering about how a thief may go about disabling any notion of security you have on your mbp!

 

[SpyderBite]

You are assuming that the thief stole the computer for their own use. I'll bet that sucker was already packed for international shipping before you even realized it was missing.

 

[hallux]

Not to mention, all the security software in the world won't help if the thief can't get it online to report back.

 

[metsomaniac]

I just had a look on my GF computer same setup as mine and tried to reboot from a install disc, it only allowed me the option to restore from a backup or restart.

So guessing from what your saying if the thief can't access the laptop then it can't get access to wifi.

I did setup a guest account with Internet access which I was hoping they would utilise.

How about my theory of swapping out the hard drive?

 

[Tritons]

How about my theory of swapping out the hard drive?

If you had firmware password then as far as I know swapping HDD would not work. Therefore I guess only possible way is to change motherboard.

 

[metsomaniac]

What's preventing a thief walking into apple and asking them to swap out the motherboard or resetting the firmware password?

 

[boy-better-know]

I am guessing that you haven't set up your mac with Find My iPhone?
Have you got insurance or have you just got to buy another Mac now?

 

[Morrile]

You mentioned that you have Orbicule undercover, well they can track the device by it's mac addresses; assuming you registered them all and kept your version of Orbicule undercover up to date.

Report is and let them find it; simples!

Morrile

 

[jmeadlock]

Looks like it's fairly easy to defeat the firmware password.

http://paulmakowski.blogspot.com/2009/03/apple-efi-firmware-passwords.html

 

[Weaselboy]

Looks like it's fairly easy to defeat the firmware password.

http://paulmakowski.blogspot.com/2009/03/apple-efi-firmware-passwords.html

No it is not. If you notice in that article he is using Snow Leopard. Two things... the hack he listed requires root access and a root password. The thief will not have that. Secondly, the access to EFI he describes was patched in Lion, so will not work on newer machines.

----------

Unless you have a GPS chip installed in your Macbook Pro, I don't think there will be that big of a chance to find and get your Macbook Pro back.
It's as easy as this (I do this a lot since I buy and sell used Macbooks since it's a lot cheaper);

1. Buy a used Macbook Air.
2. Start the machine, and hold 'alt' key for a few sec.
3. Open up the other partition for recovery (available since 10.7)
4. Select the HDD at Disk Utility, and erase the data.
5. Go ahead and install a clean version of Lion/Mountain Lion.
6. Done!

Now, I have no clue about firmware password, but I'm assuming its something similar to firewall password thingy. Anyways, if the thief obtains a Mac laptop, then s/he could have followed these normal steps, and s/he will be able to sell or use a newly stolen laptop as if nothing happened.
Hope you can find this thief asap. If you have a serial number of your Macbook Pro (from your original box or a receipt) then you can report to Apple as 'stolen.'

OP has an EFI password enabled, so none of what you just described will work. The EFI password locks the machine so it will only boot from the partition designated in Startup disk. Foreign disks, optical or otherwise, are not going to boot the machine. An EFI password also blocks booting to the Recovery HD partition.

----------

What's preventing a thief walking into apple and asking them to swap out the motherboard or resetting the firmware password?

Apple will require proof of ownership, which the thief will not have, so they will not reset the EFI password for him.

I just had a look on my GF computer same setup as mine and tried to reboot from a install disc, it only allowed me the option to restore from a backup or restart.

So guessing from what your saying if the thief can't access the laptop then it can't get access to wifi.

I did setup a guest account with Internet access which I was hoping they would utilise.

How about my theory of swapping out the hard drive?

I know this is too late for you now, but what you need to do in addition to EFI password is enable Filevault2 (FV2) on your machines. This encrypts the entire drive so a thief cannot access it, and also puts a guest Safari only screen at the login screen. If you turn on Find my Mac and FV2, the hope is the thief will see they cannot login to your account but they will select the Safari only account and get in the Internet with it, thus telling Find my Mac where the machine is.

If you turn on the EFI password and couple that with FV2, nobody is getting into that machine.

Swapping the drive will not work. With EFI PW on, that machine is only going to boot from the drive/partition you specified.

 

[metsomaniac]

Thanks Weaselboy, that at leasts confirms a few things for me

 

[metsomaniac]

they can track the device by it's mac addresses
Morrile

I didn't realise that!

How easy is it to crack my account password?

Does it lock out after several failed attempts?

The last time I used my mac, I closed the lid, which requires a password to use the machine.

If they were to reboot the mac, they have two accounts to log into, mine and a guest account, which has access to the Internet etc.

Orbicule undercover hasn't picked anything up since it was stolen, so I'm wondering if the thieves are just laying low until the heat so to speak cools off?

 

[talmy]

Could be stolen by a computer "chop shop". They will tear it apart and sell the parts separately.

 

[Weaselboy]

How easy is it to crack my account password?

Since you enabled EFI protection, they won't be able to "crack" it. Their only hope would be to guess correctly.

Does it lock out after several failed attempts?

Nope.

 

[metsomaniac]

Could be stolen by a computer "chop shop". They will tear it apart and sell the parts separately.

Hate to think of my laptop being cut up!!

 

[Mojo1]

Undercover can track your stolen MBP only if it is booted up and connects to the Internet. Did you immediately notify Undercover that the MBP had been stolen? I think that your firmware password has probably stymied the thief and he hasn't tried using the guest account. I wouldn't be surprised if he trashed your MBP after he discovered that he couldn't access the drive.

In hindsight I suppose making the guest account your default account with automatic login enabled would have been the way to go... The first time he booted up your MBP it would have connected to the Internet.

I decided to not use a firmware password so a thief will have no problem starting up my Macs. Sensitive data on the computers is encrypted using GoSecure. All my account, login and credit card info for online purchases is safely encrypted in 1Password. I want the thief to be able to use my Macs so there is a better chance they will connect to the Internet after being stolen.

While I think that tracking software is a good idea more crooks know about it, so its value isn't as high as it was a few years ago.

I added Orbicule's Witness to my Macs and I consider it to be my first line of defense. If Witness detects an intruder it immediately sends an alert to my iPhone. It also begins snapping images of the person using the Mac and sends them to your iPhone. Witness makes it possible to interrupt a burglary in progress and it also makes it easier to ID the thief. Since you are immediately notified that the MBP is being stolen you can also notify Undercover ASAP before the thief accesses the Mac and wipes the internal drive.

 

[metsomaniac]

Did you immediately notify Undercover that the MBP had been stolen?
.

Well I thought I did, the moment it happened, I did a search for undercover login on my iPhone, logged onto the orbicule website that appeared top of the list, my laptop details were on the page so i reported it stolen.
I bookmarked the page and been looking ever since, however today I had my iPad to hand, so did the same thing, search for the orbicule undercover website but this time I was pointed to undercoverhq, another orbicule site, logged on and found my laptop listed but NOT reported stolen! Alas I reported it stolen.

I contacted orbicule about this and they informed me undercover.com is for undercover ver4, and undercoverhq.com is for ver5,

I wish I knew this last week when it happened as I've given the thief a week to become acquainted with my mbp!

 

[whiteonline]

You mentioned that you have Orbicule undercover, well they can track the device by it's mac addresses; assuming you registered them all and kept your version of Orbicule undercover up to date.

Report is and let them find it; simples!

Morrile

Um no.
Orbicule does a call to home when it is on the Network. MAC addresses do not traverse across networks (home network -> Internet -> Orbicule servers).

 

[metsomaniac]

In hindsight I suppose making the guest account your default account with automatic login enabled would have been the way to go... The first time he booted up your MBP it would have connected to the Internet.

I like the idea of this create a dummy default account and a secondary main account.

Does anyone see any administrative problems that setting up your mac like will present further down the line when it's a real headache to do anything about it?

 

[Mojo1]

Well I thought I did, the moment it happened, I did a search for undercover login on my iPhone, logged onto the orbicule website that appeared top of the list, my laptop details were on the page so i reported it stolen.
I bookmarked the page and been looking ever since, however today I had my iPad to hand, so did the same thing, search for the orbicule undercover website but this time I was pointed to undercoverhq, another orbicule site, logged on and found my laptop listed but NOT reported stolen! Alas I reported it stolen.

I contacted orbicule about this and they informed me undercover.com is for undercover ver4, and undercoverhq.com is for ver5,

I wish I knew this last week when it happened as I've given the thief a week to become acquainted with my mbp!

When I enter www.undercover.com in Safari's URL window the left-hand website appears.

When I click the login link at Orbicule.com it takes me to undercoverhq.com.

So I am confused how you wound up at undercover.com and was able to do anything on the website...

 

[metsomaniac]

When I searched on my iPhone I typed in undercover login and got the following page

I clicked on the first link and got nothing so clicked on the 2nd link that got the following page

I recognised this page so logged on.

On my iPad I simply searched for undercover which resulted with the following results

I clicked on the 2nd link which took me too

I clicked the undercover icon and went to

Where upon I clicked the login button to get login to undercoverhq, I would upload the image but only allowed 5 images!

 

[jmeadlock]

No it is not. If you notice in that article he is using Snow Leopard. Two things... the hack he listed requires root access and a root password. The thief will not have that. Secondly, the access to EFI he describes was patched in Lion, so will not work on newer machines.

I didn't know that; thanks!

 

[Orbicule]

Undercover developer

Hi, I'm Peter from Orbicule, we develop Undercover.

We have never used the Undercover.com domain. It is true, however, that Undercover 4 and Undercover 5 have different web apps to manage the Macs. This has to do with the new features in Undercover 5 that could not be fitted in the legacy admin UI.

Undercover 4 --> undercovercenter.com
Undercover 5 --> undercoverhq.com

However, upon installing Undercover 5, Macs are automatically added to Undercoverhq.com and our customers will need to set their password in the new web app, so they will be at least exposed once to the new admin UI. We hope this clears things up, and we apologise for any confusion this has caused.

More information about Undercover 5 and the new admin UI is available at:
http://www.youtube.com/watch?feature=player_embedded&v=K9Qg7jHQElc
and
http://www.orbicule.com/undercover/mac