Apple's iCloud lock for Macs is not very secure

One feature in Apple's iCloud service for OS X is its lock option, which allows you to remotely set a PIN for your Mac through iCloud's Find My iPhone service, and require that it be entered to boot the system.

This lock is similar to a firmware password for securing Mac systems. Not only does it prevent booting to alternative boot modes such as Safe Mode or Single User Mode, but it prevents loading in special hardware modes like Target Disk and Internet Recovery so the hard disk cannot be wiped or otherwise accessed.

Unlike the firmware password, however, the iCloud PIN is required to boot the system. This may sound convenient, but in its current implementation it's not the most secure option to rely on.

The first issue with the iCloud PIN feature is that if it's locked from an iPhone, then the PIN is only four numeric digits, meaning that there are 10,000 possible combinations that can be tried to ultimately uncover it. Apple does attempt to discourage this brute-force approach by implementing a progressive wait time before you can try new PINs, but this can be circumvented by restarting the system (which quickly returns you to the PIN password screen) and continuing to enter new PIN numbers.

With diligence, this approach can get you into the system in a matter of hours. While a new PIN can quickly be set again to overcome the one being discovered, once in the system, someone will have access to your data. You can make the PIN more secure by locking the system from a Mac, in which case it will be a 6-digit code instead of 4-, but it still is not a very robust password option.

In addition to the relative ease of brute-force approaches, some people have simply removed the Mac's hard drive and installed it in another system to locate files on the drive that for some people contain the lock codes. Granted, these methods have not worked for all who have tried them, but some have had success.

The real issue at hand here is that relying on only a hardware-based lock, be it a firmware password or the iCloud PIN, will not secure your data. While these methods may lock your system's hardware and provide a frustrating hurdle for those trying to use it, they will not be a full block to those who try to get access to your data. If you would like to secure your Mac as much as possible, the following three options together should do the trick:

1. Use a firmware password instead of iCloud PIN
   A firmware password allows for more characters than the iCloud PIN, offering better security. In the latest Mac systems it also is quite secure and cannot be easily circumvented by changing hardware configurations like RAM, so this will provide a good lock for the system's hardware. Unlike with the iCloud PIN, you can still boot to the default hard drive with a firmware password implemented, but it will be much harder to crack (there are currently no known methods for doing this on Mac systems built in 2011 and later).
2. Encrypt the drive
   Using FileVault in OS X 10.7 and later, you can encrypt the Mac's entire hard drive and set up specific user accounts that can decrypt the drive and boot from it. Setting this up will in effect implement a boot password and make up for the lack of one when using only the firmware password. Encryption will secure the data on the drive both from local boot attempts by requiring a user password to unlock the drive, and prevent access to the drive's data if the drive is removed. The only option a thief has in order to use the drive is to wipe it.
3. Redundant encrypted backups
   Since a thief may still wipe your system's drive by removing it and attaching it to another system, to ensure your data is safe, be sure to make redundant encrypted or otherwise secured backups. Apple's Time Machine offers options to back up to multiple drives that can be stored in different locations, and also can encrypt your backups. You can also use Disk Utility to format an external drive as an encrypted volume and then use it as a clone destination for your internal drive.

With these three options, both your data and the system will be fairly well locked down and secured not only from thieves and other nefarious activity, but also from user error, defects, and other unforeseen problems you may encounter.

With that said, if you have not yet instated these options in your system and find yourself in a situation where you need to quickly lock your Mac (for instance, if you are on vacation and are worried about someone accessing your system), then you can log into iCloud and set the lock to at least provide some level of protection to your system until you can get back to it and implement more secure options.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.