To understand how a MBP thief operates?

Discussion in 'MacBook Pro' started by metsomaniac, Oct 15, 2012.

  1. metsomaniac macrumors member

    Joined:
    Nov 15, 2011
    #1
    My MBP was stolen the other week, a late 2011 model. I had a firmware password set up and orbicule undercover software installed.

    Having researched online you can't bypass the firmware security settings on the late 2011 model by removing a ram chip and resetting the pram 3 times.

    So it got me wondering how who ever it was who stole my mbp has managed to evade being discovered? Or simply put, make use of some body else's MBP.

    Would itbe as simple as to simply replace the hard drive and then you have yourself a new mac, or does the firmware password prevent this?, alas if you did replace the hard drive, with a new hard drive with a fully operational osx system preinstalled would you be able to operate the computer and login without having to enter a firmware password?

    I'd appreciate your comments as I'm hoping this will help me & others reading make security considerations on the new MBP I'm about to buy.
     
  2. seong macrumors 65816

    seong

    Joined:
    Feb 11, 2010
    #2
    Unless you have a GPS chip installed in your Macbook Pro, I don't think there will be that big of a chance to find and get your Macbook Pro back.
    It's as easy as this (I do this a lot since I buy and sell used Macbooks since it's a lot cheaper);

    1. Buy a used Macbook Air.
    2. Start the machine, and hold 'alt' key for a few sec.
    3. Open up the other partition for recovery (available since 10.7)
    4. Select the HDD at Disk Utility, and erase the data.
    5. Go ahead and install a clean version of Lion/Mountain Lion.
    6. Done!

    Now, I have no clue about firmware password, but I'm assuming its something similar to firewall password thingy. Anyways, if the thief obtains a Mac laptop, then s/he could have followed these normal steps, and s/he will be able to sell or use a newly stolen laptop as if nothing happened.
    Hope you can find this thief asap. If you have a serial number of your Macbook Pro (from your original box or a receipt) then you can report to Apple as 'stolen.'
     
  3. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #3
    Apple do not record serial numbers of stolen items, too much administrative cosequences, which is a shame because it would help the victim feel slightly better about the possibility of the thief going into an apple store with your laptop and expecting to get help from one of their geniuses to reset the firmware password.

    If Apple are worried about false claims etc, Apple should record serial numbers that have a valid police report!

    Anyhow this is my main topic, I'm wondering about how a thief may go about disabling any notion of security you have on your mbp!
     
  4. SpyderBite macrumors 65816

    SpyderBite

    Joined:
    Oct 4, 2011
    Location:
    Xanadu
    #4
    You are assuming that the thief stole the computer for their own use. I'll bet that sucker was already packed for international shipping before you even realized it was missing.
     
  5. hallux macrumors 68020

    hallux

    Joined:
    Apr 25, 2012
    #5
    Not to mention, all the security software in the world won't help if the thief can't get it online to report back.
     
  6. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #6
    I just had a look on my GF computer same setup as mine and tried to reboot from a install disc, it only allowed me the option to restore from a backup or restart.

    So guessing from what your saying if the thief can't access the laptop then it can't get access to wifi.

    I did setup a guest account with Internet access which I was hoping they would utilise.

    How about my theory of swapping out the hard drive?
     
  7. Tritons macrumors 6502

    Joined:
    Jul 12, 2011
    #7
    If you had firmware password then as far as I know swapping HDD would not work. Therefore I guess only possible way is to change motherboard.
     
  8. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #8
    What's preventing a thief walking into apple and asking them to swap out the motherboard or resetting the firmware password?
     
  9. boy-better-know macrumors 65816

    boy-better-know

    Joined:
    Jun 30, 2010
    Location:
    England
    #9
    I am guessing that you haven't set up your mac with Find My iPhone?
    Have you got insurance or have you just got to buy another Mac now?
     
  10. Morrile macrumors member

    Morrile

    Joined:
    Jun 18, 2009
    Location:
    In an Apartment
    #10
    You mentioned that you have Orbicule undercover, well they can track the device by it's mac addresses; assuming you registered them all and kept your version of Orbicule undercover up to date.

    Report is and let them find it; simples!

    Morrile
     
  11. Weaselboy, Oct 15, 2012
    Last edited: Oct 15, 2012

    Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #12
    No it is not. If you notice in that article he is using Snow Leopard. Two things... the hack he listed requires root access and a root password. The thief will not have that. Secondly, the access to EFI he describes was patched in Lion, so will not work on newer machines.

    ----------

    OP has an EFI password enabled, so none of what you just described will work. The EFI password locks the machine so it will only boot from the partition designated in Startup disk. Foreign disks, optical or otherwise, are not going to boot the machine. An EFI password also blocks booting to the Recovery HD partition.

    ----------

    Apple will require proof of ownership, which the thief will not have, so they will not reset the EFI password for him.

    I know this is too late for you now, but what you need to do in addition to EFI password is enable Filevault2 (FV2) on your machines. This encrypts the entire drive so a thief cannot access it, and also puts a guest Safari only screen at the login screen. If you turn on Find my Mac and FV2, the hope is the thief will see they cannot login to your account but they will select the Safari only account and get in the Internet with it, thus telling Find my Mac where the machine is.

    If you turn on the EFI password and couple that with FV2, nobody is getting into that machine.

    Swapping the drive will not work. With EFI PW on, that machine is only going to boot from the drive/partition you specified.
     
  12. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #13
    Thanks Weaselboy, that at leasts confirms a few things for me
     
  13. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #14
    I didn't realise that!

    How easy is it to crack my account password?

    Does it lock out after several failed attempts?

    The last time I used my mac, I closed the lid, which requires a password to use the machine.

    If they were to reboot the mac, they have two accounts to log into, mine and a guest account, which has access to the Internet etc.

    Orbicule undercover hasn't picked anything up since it was stolen, so I'm wondering if the thieves are just laying low until the heat so to speak cools off?
     
  14. talmy macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #15
    Could be stolen by a computer "chop shop". They will tear it apart and sell the parts separately.
     
  15. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #16
    Since you enabled EFI protection, they won't be able to "crack" it. Their only hope would be to guess correctly.

    Nope.
     
  16. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #17
    Hate to think of my laptop being cut up!!
     
  17. Mojo1, Oct 15, 2012
    Last edited: Oct 15, 2012

    Mojo1 macrumors 65816

    Joined:
    Jul 26, 2011
    #18
    Undercover can track your stolen MBP only if it is booted up and connects to the Internet. Did you immediately notify Undercover that the MBP had been stolen? I think that your firmware password has probably stymied the thief and he hasn't tried using the guest account. I wouldn't be surprised if he trashed your MBP after he discovered that he couldn't access the drive.

    In hindsight I suppose making the guest account your default account with automatic login enabled would have been the way to go... The first time he booted up your MBP it would have connected to the Internet.

    I decided to not use a firmware password so a thief will have no problem starting up my Macs. Sensitive data on the computers is encrypted using GoSecure. All my account, login and credit card info for online purchases is safely encrypted in 1Password. I want the thief to be able to use my Macs so there is a better chance they will connect to the Internet after being stolen.

    While I think that tracking software is a good idea more crooks know about it, so its value isn't as high as it was a few years ago.

    I added Orbicule's Witness to my Macs and I consider it to be my first line of defense. If Witness detects an intruder it immediately sends an alert to my iPhone. It also begins snapping images of the person using the Mac and sends them to your iPhone. Witness makes it possible to interrupt a burglary in progress and it also makes it easier to ID the thief. Since you are immediately notified that the MBP is being stolen you can also notify Undercover ASAP before the thief accesses the Mac and wipes the internal drive.
     
  18. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #19
    Well I thought I did, the moment it happened, I did a search for undercover login on my iPhone, logged onto the orbicule website that appeared top of the list, my laptop details were on the page so i reported it stolen.
    I bookmarked the page and been looking ever since, however today I had my iPad to hand, so did the same thing, search for the orbicule undercover website but this time I was pointed to undercoverhq, another orbicule site, logged on and found my laptop listed but NOT reported stolen! Alas I reported it stolen.

    I contacted orbicule about this and they informed me undercover.com is for undercover ver4, and undercoverhq.com is for ver5,

    I wish I knew this last week when it happened as I've given the thief a week to become acquainted with my mbp!
     
  19. whiteonline macrumors 6502

    whiteonline

    Joined:
    Aug 19, 2011
    Location:
    California, USA
    #20
    Um no.
    Orbicule does a call to home when it is on the Network. MAC addresses do not traverse across networks (home network -> Internet -> Orbicule servers).
     
  20. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #21
    I like the idea of this create a dummy default account and a secondary main account.

    Does anyone see any administrative problems that setting up your mac like will present further down the line when it's a real headache to do anything about it?
     
  21. Mojo1 macrumors 65816

    Joined:
    Jul 26, 2011
    #22
    When I enter www.undercover.com in Safari's URL window the left-hand website appears.

    When I click the login link at Orbicule.com it takes me to undercoverhq.com.

    So I am confused how you wound up at undercover.com and was able to do anything on the website...
     

    Attached Files:

  22. metsomaniac thread starter macrumors member

    Joined:
    Nov 15, 2011
    #23
    When I searched on my iPhone I typed in undercover login and got the following page
    ImageUploadedByTapatalk1350336419.035900.jpg
    I clicked on the first link and got nothing so clicked on the 2nd link that got the following page
    ImageUploadedByTapatalk1350336477.188383.jpg
    I recognised this page so logged on.

    On my iPad I simply searched for undercover which resulted with the following results
    ImageUploadedByTapatalk1350336686.857182.jpg
    I clicked on the 2nd link which took me too
    ImageUploadedByTapatalk1350336720.055452.jpg
    I clicked the undercover icon and went to
    ImageUploadedByTapatalk1350336756.735242.jpg
    Where upon I clicked the login button to get login to undercoverhq, I would upload the image but only allowed 5 images!
     
  23. jmeadlock macrumors newbie

    Joined:
    Jul 2, 2012
    #24
    I didn't know that; thanks!
     
  24. Orbicule macrumors newbie

    Joined:
    Oct 22, 2009
    #25
    Undercover developer

    Hi, I'm Peter from Orbicule, we develop Undercover.

    We have never used the Undercover.com domain. It is true, however, that Undercover 4 and Undercover 5 have different web apps to manage the Macs. This has to do with the new features in Undercover 5 that could not be fitted in the legacy admin UI.

    Undercover 4 --> undercovercenter.com
    Undercover 5 --> undercoverhq.com

    However, upon installing Undercover 5, Macs are automatically added to Undercoverhq.com and our customers will need to set their password in the new web app, so they will be at least exposed once to the new admin UI. We hope this clears things up, and we apologise for any confusion this has caused.

    More information about Undercover 5 and the new admin UI is available at:
    http://www.youtube.com/watch?feature=player_embedded&v=K9Qg7jHQElc
    and
    http://www.orbicule.com/undercover/mac
     

Share This Page