Stolen MacBook Pro M1 14"

[Mary H]

On Monday our MacBook Pro M1 14" was stolen. It has not been connected to the internet so Find My has not been able to locate it. We have locked it. We suspect that by now it has possibly been disassembled and so I am interested in knowing how much of our information on the hard drive is accessible. I have already changed passwords on key accounts such as bank, Apple ID, and others of a sensitive nature. What I am most interested in is:
Would the person in possession of that hard drive be able to access the keychain, and also when I migrated our old MacBook to the new one, would the keychain have migrated? In which case, I have a very busy day ahead of me.
Would they have access to a file that was password protected on the hard drive? I am not sure if our password protected file was on the laptop or only in Dropbox.
Can they access Dropbox?
Can they access anything we had in iCloud, or by the fact I have already changed my Apple ID password is that safe?
Thankfully there were not many files of concern on the laptop at this point in time as the computer was still fairly new and I primarily work on my home computer.
Are there any areas of concern I have not mentioned that I should be concerned about.
Thanks,
Mary

 

[Raebo]

You might want to go to apple support and give them a call.

 

[Apple_Robert]

I would remotely wipe the Mac by going to AppleId.Apple.com if you had FileVault turned on, you are protected.

 

[spiderman0616]

You'd be surprised how much access you have to lock that device down even without the device present. Go to iCloud.com and log in, go to your account settings, and de-register the device. I believe you can also report it missing/stolen from that interface. It might even work from your Find My app.

 

[Mary H]

I would remotely wipe the Mac by going to AppleId.Apple.com if you had FileVault turned on, you are protected.

Next time, FileVault will definitely be turned on!

 

[BeatCrazy]

Next time, FileVault will definitely be turned on!

I feel bad for your situation, but did you deliberately uncheck the FileVault option when setting up your MacBook?

 

[Mary H]

I feel bad for your situation, but did you deliberately uncheck the FileVault option when setting up your MacBook?

Unfortunately yes, we had had difficulty with FileVault many years ago on an older computer and so chose to not use it Next time we will be smarter and leave it on.

 

[VineRider]

The disk is encrypted with the T2 chip, even though you did not have FileVault turned on. This article gives more details. It clearly is best to turn FileVault on, but this may give you a bit of peace of mind.

About encrypted storage on your new Mac - Apple Support

Learn about encrypted storage on computers that have the Apple T2 Security Chip, and make sure that your data is fully protected.

support.apple.com

Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.

As long as you had a strong password on the Mac, it is unlikely that it the data on there can be compromised.

 

[Mary H]

The disk is encrypted with the T2 chip, even though you did not have FileVault turned on. This article gives more details. It clearly is best to turn FileVault on, but this may give you a bit of peace of mind.

About encrypted storage on your new Mac - Apple Support

Learn about encrypted storage on computers that have the Apple T2 Security Chip, and make sure that your data is fully protected.

support.apple.com

Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.

As long as you had a strong password on the Mac, it is unlikely that it the data on there can be compromised.

Thanks. That is definitely encouraging. Now to wonder how strong my password was

 

[BeatCrazy]

The disk is encrypted with the T2 chip, even though you did not have FileVault turned on. This article gives more details. It clearly is best to turn FileVault on, but this may give you a bit of peace of mind.

About encrypted storage on your new Mac - Apple Support

Learn about encrypted storage on computers that have the Apple T2 Security Chip, and make sure that your data is fully protected.

support.apple.com

Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.

As long as you had a strong password on the Mac, it is unlikely that it the data on there can be compromised.

Thanks. That is definitely encouraging. Now to wonder how strong my password was

14" M1 MacBooks (the Apple Silicon models) don't use the T2 chip. Rather, such security features are built into the processor directly. https://medium.com/macoclock/3-ways-m1-macs-are-more-secure-6dbb428751ed

 

[Mary H]

14" M1 MacBooks (the Apple Silicon models) don't use the T2 chip. Rather, such security features are built into the processor directly. https://medium.com/macoclock/3-ways-m1-macs-are-more-secure-6dbb428751ed

So, to put that in plain English, does that mean anyone trying to access the hard drive without the proper credentials will basically just wipe out everything on there?

 

[BeatCrazy]

So, to put that in plain English, does that mean anyone trying to access the hard drive without the proper credentials will basically just wipe out everything on there?

Other people can't trigger the hard drive to erase, but you can attempt to do it remotely:

Erase a device in Find My on Mac

In Find My on Mac, erase a lost or stolen device.

support.apple.com

 

[Mary H]

Other people can't trigger the hard drive to erase, but you can attempt to do it remotely:

Erase a device in Find My on Mac

In Find My on Mac, erase a lost or stolen device.

support.apple.com

Can the hard drive be erased if they have not tried to connect to the internet? We are thinking the computer has been disassembled for parts if it hasn't been trashed.

 

[BeatCrazy]

Can the hard drive be erased if they have not tried to connect to the internet? We are thinking the computer has been disassembled for parts if it hasn't been trashed.

Remote erase requires that the complete computer be connected to Wi-Fi.

 

[umbilical]

Next time, FileVault will definitely be turned on!

FileVault still makes the machine slower on the M1's? If I active FileVault on my late 2013 macbook pro, this thing goes very slow, without moves fast.

 

[Apple_Robert]

FileVault still makes the machine slower on the M1's? If I active FileVault on my late 2013 macbook pro, this thing goes very slow, without moves fast.

FileVault is not slow on the M series Macs.

 

[umbilical]

FileVault is not slow on the M series Macs.

Great to know!

 

[laptech]

Can the hard drive be erased if they have not tried to connect to the internet? We are thinking the computer has been disassembled for parts if it hasn't been trashed.

Yes the hard drive can be erased. All the thief has to do is boot into Mac recovery and erase the hard drive. The problem is that due to the machine having being reported stolen and 'Find My' has been activated via your Apple user account, the machine basically becomes a glorified paper weight because no matter what the thief tries to do, it will always ask for the owners apple ID before it will allow the thief to try and install Mac OS. There is hacking software that allows people to get around apple ID so an OS can be installed but it does not allow for any updates because what some OS updates does is clear the memory space where the hacking software resides which results in the owners apple id being asked for. It is very cumbersome to do but it does allow a stolen mac book to be used although with limitations.

Your mac book would have been stolen for two reasons, to be sold on to a 3rd party or to be broken down for parts. Once the thief realises that the machines secuirty features have been activated with it constantly asking for the owners apple id they would know it be pointless to try and sell it as a working machine and thus it would be broken down for parts. M1 parts are still expensive but it would have to take a thief who knows the specifics about macbooks to know if they were stealing an M1 or an Intel machine.

 

[JW5566]

Sorry to hear about the theft

Good to read that Macs in general are reasonably secure. I just checked mine and filevault is turned on.

It's another reminder also to regularly back up important data and/or use iCloud.

 

[solouki]

While this comment is somewhat tangential to the topic at hand, it is something you might wish to know if you are worried about privacy and security.

Different user accounts on the same machine may have access to other users's directories. For instance, every user's "Public" folder (the ~/Public directory) typically allows read and sometimes write access to all other users on the system. This is by design and is fine from a security viewpoint as long as you don't put any sensitive files in your ~/Public folder.

On the other hand, many times additional user directories may also allow other users to have access via permissions. This is potentially a security/privacy risk.

In the Terminal.app window, if you perform the following command:

ls -alOR@

you will see a listing of directories and files. For regular files, the files's lines should begin with "-rw-------" which means that the owner (user, or you, in other words) has read (r) and write (w) permisions, but the users in the same group (g) and other users (everyone else) do not have read nor write permissions. For directories, the directory file should begin with "drwx--x--x" which means that the user (owner) has read and write access, but the group and other users do not.

If you wish to restrict access to a particular directory (folder) as much as possible, then you can perform the following command:

chmod -R go-rw <directory-name>

where <directory-name> is the name of the directory (folder) that you wish to have restricted access. The "-R" option tells "chmod" to be applied recursively to all subdirectories and files, the "go" of "go-rw" indicates the other users in the login user's group (g) as well as everyone else (o). The "-rw" says to subtract read and write permissions from the indicated users, that is, from "go" or the group and other (everyone) users. This command will make the directory (folder) non-accessible by all other users except for the owner -- and, of course, root (administrator or superuser) also still has access to these directories and files. Perform a new "ls" to verify that the directory, subdirectories, and files have all been modified:

ls -alOR@ <directory-name>

When you create new directories or files, they are created with permissions dictated by the "umask" settings of your shell. Most accounts are configured with:

umask 0022

which gives the group and other users read and write access permissions to new folders and files. If you wish to restrict access to newly created directories and files, then use:

umask 0077

which will set the access permissions for new directories and files to allow only the owner to have read and write permissions with all other users denied read and write access. Personally, I use "umask 0077" that I set in a shell script that executes on login.

Solouki