Wipe SSD after unsuccessful login?

[Davoosie2]

Is there a way either with a third party utility or a terminal command to wipe the SSD of my MacBook Pro after two unsuccessful login attempts? Something that will wipe the system drive after a wrong user ID or password is entered incorrectly after two tires?

I have something like this setup on my computer at work, which is a Linux box I figured I could make it work with my MBP, but looks like that option is not available or at least locked out of OS X

 

[wol]

Not sure if this can be done easily. iOS devices can be configured to behave this way using "Apple Configurator 2" by specifying "Passcode protection" / "Maximum number of failed attempts". Note that this actually does not "wipe" all of the data, but instead simply wipes the decryption + recovery keys.

macOS has the terminal command "pwpolicy". It enables "setaccountpolicies" (see man page). However, the default event triggered by "MaximumFailedAuthentications" is a "lockout period" (rather than erasing decryption + recovery keys). I'd guess that there might be some (undocumented) setting to make accountpolicies behave similar to iOS.

Maybe someone else on the forum is more knowledgeable about this subject?

 

[Davoosie2]

Thanks Wol. I messed around with it for a few days and I don't think it's an option. Even with a 3rd party utility. I guess I'll stick with the strong password for now.

 

[Tech198]

Is there a way either with a third party utility or a terminal command to wipe the SSD of my MacBook Pro after two unsuccessful login attempts? Something that will wipe the system drive after a wrong user ID or password is entered incorrectly after two tires?

I have something like this setup on my computer at work, which is a Linux box I figured I could make it work with my MBP, but looks like that option is not available or at least locked out of OS X

similar to the "Erase Data.." in iOS Touch ID settings ? I reckon on a desktop, that would be far more of a problem as u'd be having all your documents store on a Mac, not on an iOS device. So, naturally u'd also freak out more as well now u've just lost those important photos.. (particularly after only 3 attempts), u can get a password wrong more than twice..that just leaves 1 left till u can say goodbye to your Mac.

Not everyone Backups all the time, and not everyone uses iCloud (other services).

macOS has the terminal command "pwpolicy". It enables "setaccountpolicies" (see man page). However, the default event triggered by "MaximumFailedAuthentications" is a "lockout period" (rather than erasing decryption + recovery keys). I'd guess that there might be some (undocumented) setting to make accountpolicies behave similar to iOS.

The same lockout period applies to Windows as well

 

[KALLT]

macOS does have this functionality if you use Find My Mac. I am of the opinion that you should not rely on it though.

Macs work a wee different from iPhones when it comes to encryption. iPhones have specific hardware features that support a function like this. They have a secure boot chain, they have effaceable storage to quickly zap a portion of the flash storage and they have dedicated chips that store and manage the encryption keys (Secure Element). Macs have none of this, at least not until Apple released the MacBook Pro laptops with the Touch Bar.

Macs use whole-volume encryption and it is not dependent upon the hardware in any way. An attacker would simply need to take out the drive and attempt to mount it on another computer to completely bypass this protection. On an iPhone this is not as easy.

 

[BrianBaughn]

macOS does have this functionality if you use Find My Mac. I am of the opinion that you should not rely on it though.

Macs work a wee different from iPhones when it comes to encryption. iPhones have specific hardware features that support a function like this. They have a secure boot chain, they have effaceable storage to quickly zap a portion of the flash storage and they have dedicated chips that store and manage the encryption keys (Secure Element). Macs have none of this, at least not until Apple released the MacBook Pro laptops with the Touch Bar.

Macs use whole-volume encryption and it is not dependent upon the hardware in any way. An attacker would simply need to take out the drive and attempt to mount it on another computer to completely bypass this protection. On an iPhone this is not as easy.

"attempt to completely bypass this protection" kinda makes it sound like it's easy to do!

Interesting article on "cracking" FileVault: https://blog.elcomsoft.com/2016/07/mac-os-forensics-attacking-filevault-2/

 

[KALLT]

"attempt to completely bypass this protection" kinda makes it sound like it's easy to do!

Technically it is, if you are assuming that your password is not strong enough, which the OP called attention to. If the password is not strong, i.e. either guessable through available information or brute-forceable, then an attacker will not be impeded by any software-based mechanisms that delete the volume after a few tries, because it is probably irrelevant.

There are other ways to get in. You’ve already pointed out a vulnerability in the iCloud key recovery, but there are others. Sierra 10.12.2 recently closed a vulnerability that allowed an attacker to extract the key directly from memory using a $300 tool, all done in a few seconds (source). This happened, to my knowledge, at least once before. Macs also do not have a Trusted Platform Module that guarantees the integrity of the boot and recovery partition, which means that an attacker could modify them and retrieve your password using a keylogger if they have access to your device.