Macbook stolen, what to do?

[macbook123]

#1
Somebody just broke into my car and stole my Macbook. What's the best thing to do if I don't want the to be able to access my data? I honestly don't recall if I had a password set on login screen since I sometimes turn it off when I'm working a lot from home.

I imagine if I had no password set I'm screwed, or is there anything I can do still?

If I did have a password set, can they still access my data?

And should I do remote erase or lock, i.e., which is safer?

Thanks!

 

[Shirasaki]

Call police.

And if Find Mac is on, set a remote lock, and remote erase. Then if your Mac goes online again, it will be locked automatically.

But given the fact that this feature is somewhat useless, what you can only wish is data is erased by thief without checking it. The reason I say it is useless because I have tried this once, and I didn't receive any notifications, while Mac remained fully accessible even after my MacBook was found.

 

[Evren Carven]

If you have a password set, they cannot access your data. Don't worry.
The best way is to erase or lock your Mac remotely. But the precondition is your Mac is online.
https://support.apple.com/kb/PH2701?locale=en_US

 

[bobdamnit]

If you have a password set, they cannot access your data. Don't worry.
The best way is to erase or lock your Mac remotely. But the precondition is your Mac is online.
https://support.apple.com/kb/PH2701?locale=en_US

I disagree. If I can get into recovery with a Terminal, I can do a few different things to obtain administrator access to the Macbook, and thus, the original owners data.

This is where Filevault and a firmware password would have helped.

 

[Weaselboy]

If I did have a password set, can they still access my data?

Yes... very easily. All they have to do is command-r boot to recovery then in Terminal enter "resetpassword" and follow the prompts to change the password.

Turning on FileVault encryption will prevent this.

If you have Find my Mac turned on, do an erase and lock.

 

[vanc]

I disagree. If I can get into recovery with a Terminal, I can do a few different things to obtain administrator access to the Macbook, and thus, the original owners data.

It's true unless you have file vault enabled. I have file vault enabled on my 2012 MBP 15 as soon as I bought it. Without a correct password, the whole disk is fully encrypted with AES, and nobody could read it.

 

[macbook123]

If you have a password set, they cannot access your data. Don't worry.
The best way is to erase or lock your Mac remotely. But the precondition is your Mac is online.
https://support.apple.com/kb/PH2701?locale=en_US

Why is erase better than lock? If I lock it I can send a message with my contact information. There's probably a non-negligible chance that the thief is too stupid to get around that and will just leave it somewhere and then somebody can find it and give it to me. Or the thief might contact me claiming they didn't steal it but only found it.

If I do erase I basically present them with a laptop that is all theirs at that point, with no way of ever getting it back. But maybe I'm misunderstanding something?

 

[Queen6]

Why is erase better than lock? If I lock it I can send a message with my contact information. There's probably a non-negligible chance that the thief is too stupid to get around that and will just leave it somewhere and then somebody can find it and give it to me. Or the thief might contact me claiming they didn't steal it but only found it.

If I do erase I basically present them with a laptop that is all theirs at that point, with no way of ever getting it back. But maybe I'm misunderstanding something?

Ultimately it depends if you value your Mac over your personal data. Personally I would lock it and erase, I would also think carefully about what information you pass and meeting such individuals unless you are well prepared and know what your doing.

Q-6

 

[netsped]

Do you think it is overkill to have FileVault 2 enabled (with a strong password) and also Firmware Password (with a stronger password)? Or is it the best way to keep a Mac unusable if stolen.

 

[jazz1]

Too late now, but do current Macs allow a firmware lock? I understand the a few years ago there was a way to get around even that, but now I think you actually have to send it to Apple to get around a firmware lock if you don't know the password.

 

[Queen6]

Do you think it is overkill to have FileVault 2 enabled (with a strong password) and also Firmware Password (with a stronger password)? Or is it the best way to keep a Mac unusable if stolen.

No not at all, if anything it`s prudent and will prevent any access to your Mac, barring the very skilled.

Q-6

 

[Weaselboy]

Do you think it is overkill to have FileVault 2 enabled (with a strong password) and also Firmware Password (with a stronger password)? Or is it the best way to keep a Mac unusable if stolen.

Eh... maybe a bit. All the FW password does is stop somebody from booting from an external drive making the computer worthless pretty much. But it does not really increase security to any great extent.

Too late now, but do current Macs allow a firmware lock? I understand the a few years ago there was a way to get around even that, but now I think you actually have to send it to Apple to get around a firmware lock if you don't know the password.

Yes... they do allow a firmware lock. Pre-2011 you could reset the FW PW by removing a RAM chip, but with newer models (article) that is no longer possible.

 

[Queen6]

Eh... maybe a bit. All the FW password does is stop somebody from booting from an external drive making the computer worthless pretty much. But it does not really increase security to any great extent.

Bit more to it than that; the Firmware password prevents the OS being replaced, and it prevents the Mac being started up in Target Disk mode. It does indeed render the Mac unless, it also reduces the chance of the thief and or accomplices making decent money out of the crime.

If the OS can be replaced the system can be sold on for a very decent profit, likely to someone innocent a point worth considering. I see no need to make things easier for them.

Q-6

 

[Weaselboy]

Bit more to it than that; the Firmware password prevents the OS being replaced, and it prevents the Mac being started up in Target Disk mode. It does indeed render the Mac unless, it also reduces the chance of the thief and or accomplices making decent money out of the crime.

If the OS can be replaced the system can be sold on for a very decent profit, likely to someone innocent a point worth considering. I see no need to make things easier for them.

Q-6

Sounds like you are just repeating what I said.

 

[Queen6]

Sounds like you are just repeating what I said.

Shall we say expanding on what you said equally I believe the Firmware password does add a layer of protection

Q-6

 

[NoBoMac]

Without a correct password, the whole disk is fully encrypted with AES, and nobody could read it.

My information might be old, but, I read a whitepaper a few years back re: FileVault2 hacking. Long story short, not easy to do, but, the first level of defense is that the user passwords to unlock the disk (actually, unlock the encryption key to decrypt the encryption key to decrypt the disk) are stored in a known location on disk and is basically a mini keychain-like structure. And though using strong encryption/hashing for the passwords, can be cracked easily if the password is not strong.

Maybe Apple has made improvements to the scheme in the last few years?

FileVault will stop your run-of-the-mill thieves, but not immune to a determined individual, so, use strong passwords on your Mac's accounts.

 

[Mcmeowmers]

If you have a password set, they cannot access your data. Don't worry.
The best way is to erase or lock your Mac remotely. But the precondition is your Mac is online.
https://support.apple.com/kb/PH2701?locale=en_US

I could most definitely access your files if you had a password set - the password largely only stops normal users as it is easily bypassed. Only FileVault would stop someone.

 

[Weaselboy]

My information might be old, but, I read a whitepaper a few years back re: FileVault2 hacking. Long story short, not easy to do, but, the first level of defense is that the user passwords to unlock the disk (actually, unlock the encryption key to decrypt the encryption key to decrypt the disk) are stored in a known location on disk and is basically a mini keychain-like structure. And though using strong encryption/hashing for the passwords, can be cracked easily if the password is not strong.

Maybe Apple has made improvements to the scheme in the last few years?

FileVault will stop your run-of-the-mill thieves, but not immune to a determined individual, so, use strong passwords on your Mac's accounts.

That is old information. What you may have read was people accessing direct memory access (DMA) to grab the password. That was patched in Lion 10.7.2. I have yet to read of anybody able to crack a FV2 encrypted system.

 

[NoBoMac]

That is old information. What you may have read was people accessing direct memory access (DMA) to grab the password. That was patched in Lion 10.7.2. I have yet to read of anybody able to crack a FV2 encrypted system.

Nope, not DMA. They were able to scrape off the "keychain" file containing the accounts that can unlock the disk, decrypt the password(s) off line.

A hacker that can get access to
/Volumes/Recovery HD/com.apple.boot.R/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
has the keys to FileVault. It's an encrypted file, but at the time, was easy to decrypt (key was stored in the header of the file in plaintext). The file contains the user accounts that can unlock, encrypted passwords, and then the encrypted encryption key for decrypting the master encryption key. The recovery key is stored here as well, with similar structure as a user account.

Since the Recovery volume is not encrypted, someone with skills and tools could scrape that volume off to another computer and work with that.

As mentioned, not simple tasks, required software they developed that could handle CoreStorage files on non-Mac machines, won't be carried out by Average Joe Thief, but was not impossible at the time.

When I have some time, I'll see if I can dredge up the white paper again (didn't save since I got the gist of what goes on with FileVault, and my user accounts all have strong passcodes on them [difficult for a dictionary attack] so not too concerned about FileVault security).

 

[Weaselboy]

http://eprint.iacr.org/2012/374.pdf

I believe this is the paper you are referring to and in that paper they mention the header in plain text issue was patched in 10.7.2.

 

[macbook123]

Quick question: I changed my iCloud password after loosing the laptop. Will Find my Mac still work even if the stolen Mac can't connect to iCloud anymore because I changed the password?

 

[dogslobber]

It's true unless you have file vault enabled. I have file vault enabled on my 2012 MBP 15 as soon as I bought it. Without a correct password, the whole disk is fully encrypted with AES, and nobody could read it.

This.

Plus Find My Mac is junk because it needs the OS to boot. The feature should actually run from the Mac BIOS like recovery mode can. The tools are all there once a network connection is available.

 

[2984839]

Full disk encryption with a very strong passphrase is really the only way to prevent that.

But honestly, the thief is much more likely to just wipe it, reinstall the OS, and sell it cheaply on Craigslist or eBay than to sift through it trying to steal your data. That's if he even bothers to wipe it. There's a good video from Defcon where a security researcher had his desktop stolen and tracked the thief down. The thief was a total idiot.

 

[dogslobber]

But honestly, the thief is much more likely to just wipe it, reinstall the OS, and sell it cheaply on Craigslist or eBay than to sift through it trying to steal your data. That's if he even bothers to wipe it. There's a good video from Defcon where a security researcher had his desktop stolen and tracked the thief down. The thief was a total idiot.

If the thief was technological proficient then chances are (I think) they'd get an honest job to avoid felonous behaviour.

 

[HenryDJP]

Full disk encryption with a very strong passphrase is really the only way to prevent that.

But honestly, the thief is much more likely to just wipe it, reinstall the OS, and sell it cheaply on Craigslist or eBay than to sift through it trying to steal your data. That's if he even bothers to wipe it. There's a good video from Defcon where a security researcher had his desktop stolen and tracked the thief down. The thief was a total idiot.

If a person is a "thief" they likely want much more than to just sell the Macbook. No doubt he or someone he associates with will go through the contents on the computer to see whatever is valuable to him/her. That's just the reality of it unfortunately.