What can a thief do with my reasonably locked down Mac
January 1, 2016 7:41 PM   Subscribe

My MacBook Pro was stolen last night. The disk was encrypted with FileVault and the login passwords were non trivial (good enough for petty thieves though probably not hackers skilled in the art). I told iCloud to lock it down and erase it on first contact. Will the thief and his friends be able to do anything with this machine, or is it just a paperweight at this point?

I was out for New Years Eve and my home was robbed. They took two laptops and nothing else. They were clearly in a hurry and were presumably just looking for something easy to turn over for drug or rent money.

When I discovered the theft I logged into Find My iPhone. The MacBook Pro could not be located (not surprising). I set it to notify me when it's located and also to erase and lock down the device. I understand all of this will only happen when the computer connects to the Net. It will probably only connect to the Net when it is near wifi spots it knows (my neighborhood) or when someone logs in and connects it to a new hotspot. Which means it probably won't ever connect to the Net.

The second laptop was not secured. I gave it the same iCloud treatment and this morning got notified that it had been found and erased. iCloud did not show a location for it. I believe that by erasing it you lose the ability to locate the device, though from a technical standpoint I don't know why that would be the case.

So, to reiterate my questions: will anyone short of the NSA or Anonymous be able to access the contents of or even erase and reformat the locked down laptop? What will the thieves do with it? How about the one that wasn't encrypted but has since phoned home to iCloud and gotten the message to erase and lock up?

Also, for the locked down laptop, should I rescind the erase command to increase the chance of it being physically located?

BTW, I'm backed up and insured, so this is hassle but not a tragic loss.
posted by alms to Computers & Internet (15 answers total) 11 users marked this as a favorite
When you have access to the physical machine, it's trivial to change the root password. With that, you can access, I believe, any other account, and with that, any saved user/password creds. in a user's keychain. Maybe you could even disable the remote wipe? Certainly someone with half a brain (this could not exactly describe your thieves) could simply turn off any services that deal with location or networking as they do their thing.

At minimum, I would change passwords for email, social networks, and most especially online banking/credit cards/loans/insurance, etc. I would be watching my credit card statements like a hawk to make sure no one is purchasing things using Amazon one-click or something like that - again, Keychain would be this amazing trail to see just what you were up to.

I'd certainly be on the side of, "incredibly paranoid". Personally. I know what *I* could do with access to someone's laptop, for sure. *Shivers*. Even just seeing your calendar or other contacts - it's information you could use to figure out your daily schedule.
posted by alex_skazat at 8:08 PM on January 1, 2016 [2 favorites]

The cops told me when mine was stolen that it was almost certainly broken up and sold for parts. I guess that's a mixed blessing. I changed passwords and everything anyway, though.
posted by wintersweet at 8:23 PM on January 1, 2016 [2 favorites]

Not an expert, but for the Filevaulted macbook I believe unless you've set a separate firmware password, they'll be able to boot into the recovery console and do a fresh reinstall of OS X over the drive. They shouldn't be able to access your encrypted data, however.

When you have access to the physical machine, it's trivial to change the root password. With that, you can access, I believe, any other account, and with that, any saved user/password creds. in a user's keychain.

I don't believe they'll be able to access the filevault account. Apparently the resetpassword utility in the recovery console will not see your boot drive as a valid source for a system account in which to change the password until you unlock the volume. I recommend changing all banking and email account passwords for peace of mind, but I don't think the data on that volume will be able to be decrypted.
posted by bluecore at 8:24 PM on January 1, 2016 [3 favorites]

Bluecore, from your link, "When you use Find My Mac to lock your Mac, it also prevents your Mac from starting up by setting a firmware-based password. As soon as it receives the lock instruction from iCloud, your Mac displays a lock screen that has four to six blank fields." But maybe that doesn't cover the case where they boot into recovery mode before ever connecting to the Net.

Alex_Skazat, I'm pretty sure you're wrong about it being trivially easy to access the contents of a disk encrypted with FileVault2. The whole point of it is to prevent access even when someone has physical possession of the device. See for example this discussion. If I'm mistaken, I'd really like to know and would appreciate a pointer to more info on the topic.
posted by alms at 8:42 PM on January 1, 2016 [1 favorite]

If you encrypted the disk with FileVault 2, such that you must enter a password (on a screen that looks like one pictured here), this is known as full-disk encryption. You can't bypass the login prompt because there's nothing for the bootloader to read unless you enter the password to unlock the decryption key. FileVault 2 functions like Windows' BitLocker: the secure bootloader asks you for the key that protects the decryption key. One the decryption key is accessible, the secure bootloader passes control to the regular bootloader and the machine boots as normal. Assuming your machine was off or hibernated—such that the thief would need to go through the initial boot again—you should be fine.

If you used only FileVault (called Legacy FileVault) to encrypt your home directory, you may be at further risk if someone gains access to the OS portion of your disk and is able to compromise your account and directory access key.

In any case, the disk can be wiped and reloaded, so the machine will be usable (at least until iCloud sees the serial number, based on what little I know about that process) but the data be inaccessible.

(All of these words assume your garden variety thief or even moderately proficient hacker. If you're being targeted by a Nation State or an Active, Persistent Threat actor, you're likely hosed and should investigate non-extradition countries. ;) I kid. Mostly.)
posted by fireoyster at 9:02 PM on January 1, 2016 [2 favorites]

> When you have access to the physical machine, it's trivial to change the root password.

This is wrong for encrypted drives. It's definitely not trivial.
posted by l_zzie at 10:30 PM on January 1, 2016 [4 favorites]

> With [root], you can access, I believe, any other account, and with that, any saved user/password creds. in a user's keychain.

This is not accurate. A keychain's password is not necessarily the same as the password on the user's account. While the two are created with the same password, and even perhaps if you change your password using the mac GUI they may remain the same, they are separate. If you change a user's password by using root or an admin account where you don't have to enter the user's password, then the user's keychain password cannot and will not be changed.

When attempting to access a keychain with a different password, OS X will prompt you for the keychain (old) password.
posted by cotterpin at 1:53 AM on January 2, 2016 [3 favorites]

aims: But maybe that doesn't cover the case where they boot into recovery mode before ever connecting to the Net.

I might be misunderstanding your question, but I think now that my original comment was unclear. When I said "unless you've set a separate firmware password" I meant "unless you've set a firmware password in advance". Like you said, Back to My Mac could certainly prevent booting into other drives if it connects to the net and gets your command, but if you'd set one in advance it could've prevented booting into other drives (the recovery console is just another drive partition) without connecting to wifi and getting that command. So it's the difference between it being a useless brick for the thieves and them being able to reformat it and reuse it/resell it (but not access your data.)
posted by bluecore at 5:20 AM on January 2, 2016

Update: I just got this message from Apple via email:
alms's Computer is being erased.
The erase of alms's Computer started at 7:03 AM on January 2, 2016. All data will be permanently erased. This process may take several hours, depending on your hard drive size.
If you recover your Mac, unlock it using the passcode you created when you erased your Mac.
So I guess that means the computer connected to the net somehow, and that it will be locked up and unusable. I wonder what the thieves will do with it.
posted by alms at 7:20 AM on January 2, 2016

Probably just sell it as-is, for cheap. Let the condition of the Mac be the buyer's problem.
posted by spinifex23 at 11:20 AM on January 2, 2016

You're almost certainly fine, but you should still change your passwords just in case. It's relatively easy compared to cleaning up after identity theft. Full disk encryption is very smart, especially for a laptop. Most attacks on an encrypted machine are impractical for real life scenarios. Cryptographers worry about those attacks, because that's their job, and they want solutions that would even protect a pc full of nuclear launch codes in the hands of the NSA.
posted by mccarty.tim at 3:55 PM on January 2, 2016

Thank you for all of these answers. They're largely reassuring, but we also got side tracked from my original question. Maybe I wasn't clear enough. In case anyone is still reading, I'll rephrase it. I was not asking about the security of my personal data. I was asking whether the burglars would be able to use the Macs, or whether they were effectively bricked by the various security measures I took. Can petty burglars sell machines like that? Will they sell them for parts, or just throw them away and curse their bad luck?

The burglars left two iPhones that were in plain sight. At the time I thought it was odd, but now I think they probably left them because there's not much market for stolen iPhones anymore -- they can't be used. I'm guessing that's not true of most computers, but that it is true of Macs protected with FileVault2 and locked up & erased by iCloud. If anyone has a more informed answer to that question, I'd appreciate it. Thank you!
posted by alms at 7:48 AM on January 3, 2016

Since it seems like the Find My Mac firmware locks were successful, they're bricked for now, but I'd say the effective part of the equation depends on their expertise.

1) If they had absolutely no expertise and they're lazy/scared: the laptops probably went in a dumpster.

2) No expertise but they're desperate for money: they sell them for cash on craigslist "as is" or specifically for parts. The person buying them either just needs specific parts to fix their own laptop or knows how to do 3, 4, 5 below:

3) Some expertise: they chopped them up for parts to sell on ebay. The screen here, SSD blade there, etc. This could be time consuming and exposes them to having their name linked to auctions, although it's been known to happen.

4) Some social engineering or connections: they convince an Apple repair shop it's their laptop that mistakenly got locked, the repair shop unlocks the firmware (apparently Apple can do this for them) which allows them to reinstall the OS. Or they sell it to a disreputable repair shop that's knowingly dealing in stolen merchandise, although Apple would have to keep tabs on the number of firmware unlocks third-party repairers are doing, I hope?

5) Professional thieves: apparently (I'm not sure if they're legit, it could just be a scam) there are hacking devices you can buy which allow you to brute force through all the 4 or 6 digit firmware codes. It would take several days to do this and the devices cost about $600, so it would have to be an investment for a larger theft ring.

So they've seen enough news stories about iPhone thieves getting caught that they knew to avoid those, but they either didn't know Macbooks can be remotely bricked or didn't figure on you having the technical expertise to do so. If I was placing a bet, I'd bet they're not drug addicts just looking to score (they avoided the iphones) but I'd also bet most burglars aren't part of a master crime ring with their own unlocking devices or connections at an Apple repair shop, so I'd go with #2 and guess they're ending up on craigslist.

Like I said, I'm not an expert (it would be awesome if an Apple Genius popped in to comment on current policies regarding Genius Bar and third-party repair shop firmware unlocks) but these are my best guesses...
posted by bluecore at 1:23 PM on January 3, 2016

This summary makes sense. There is one other thing I didn't mention: when I locked my Macs via iCloud I was given an option to compose a message to display on the lock screen. I entered a message saying essentially, "This Macintosh has been stolen. If found, please return to police in [municipality, state]". So option 4 is likely off the table.

I've marked a couple of best answers, but if anyone has anything to add, please continue to chime in. Thank you!
posted by alms at 8:25 AM on January 4, 2016

Sorry this happened, theft sucks. Glad you were backed up & insured.

re: "current policies regarding Genius Bar and third-party repair shop firmware unlocks"

Policy for AASPs & Apple Stores is to require a proof of purchase for these situations. As noted upthread, laptops made in the last 5 years or so require human interaction from the mothership (e.g. device-specific challenge/response keys) to defeat a firmware lock, so a 'rogue AASP' situation isn't likely. Unless the machine is recovered (fingers crossed!) the most likely outcome is the unit's bricked & will be sold for parts.

Side note re: the Filevaulted machine vs the non-Filevaulted one: as of OS 10.10 if a remote erase is issued then upon restart FileVault 2 nukes the encryption keys necessary to decrypt the system disk, otherwise it deletes the system partition.
posted by churl at 1:10 PM on January 6, 2016

« Older Model Rocket Help   |   Can an old Polycom Soundstation EX work with... Newer »
This thread is closed to new comments.