EFI firmware protection locks down newer Macs
Apple's firmware password security is greatly enhanced in recent Mac models, making it a rather robust security feature.
With Apple's Mac systems you can lock down the options to select an alternative startup disk, boot to Safe or Single User modes, reset the PRAM, and otherwise start the system in ways that can bypass the security features of OS X.on
However, as a security measure the firmware password has been met with some criticism because it could easily be bypassed by someone who has physical access to the system. In earlier Intel-based Macs the firmware password was stored in the PRAM of the system, and was simply read by the system's EFI firmware before other PRAM variables in order to maintain the lock on the system; however, this setup had drawbacks that allowed the firmware to be reset or even revealed.
Altering the system's hardware configuration, such as by removing or adding RAM modules, would clear the security password and permit booting to alternative modes. Not only did this basic way of bypassing the password exist, but the password was also not stored very securely. While administrative rights are required to uncover it, with these rights one can use included utilities in OS X to, which is masked only by a simple obfuscation routine.
These fallbacks made the Mac's firmware password almost laughable as a security measure, but this has changed with newer Mac systems. Starting in 2011, users began finding they could no longer reset their firmware passwords simply by modifying the hardware configuration. The systems would maintain the lock and prevent the use of alternate boot modes, leaving no choice for those who had set the password and then forgotten it but to bring their systems in to Apple for servicing.
In these newer systems, instead of using the PRAM to store the EFI firmware password, Apple has resorted to using a separate programmable controller from Atmel (PDF) that contains lockable flash memory used to store the password. This tiny chip is tucked away on the motherboard and includes include a security feature that stores the password in ways that require special programming with identifier numbers for both your motherboard and the Atmel chip to access and erase, which must done using special routines during the boot process.
As it's not dependent on other system components to maintain this lock, this new chip therefore cannot be unlocked simply by a hardware change. The password is also not available in the PRAM, so it cannot be revealed to users, regardless of their administrative status.
To reset the firmware password on newer Macs, you must now follow these steps:
- Boot with Option key held to display the boot menu's firmware password prompt.
- Press Control-Option-Command-Shift-S to reveal a 33-digit hash (mixed letters and numbers) that contains an identifier for your specific motherboard and the Atmel chip used for your system. In this hash, the first 17 digits are an identifier for the system's motherboard, and the last 16 digits are a hash for the password.
- Submit the hash to Apple, where someone will put it through a special utility to create a keyfile that is specific for your machine.
- Place the file on a special USB boot drive and hold Option to load the boot menu and select this drive.
- The system will read the file and properly reset the firmware password stored in the Atmel chip.
This process may seem easy enough, except that the utility for creating the keyfile is kept at Apple so you have to go through an authorized service center, which will contact technicians at Apple for this service. Secondly, the Apple technicians will not give you the keyfile for unlocking your system, so you must get your system serviced to perform this step.
Even if you were able to get the keyfile, it cannot be used on any other Mac system. The Atmel chip's serial number and motherboard identifier are factory-programmed, resulting in a pairing that is unique for your system. This is why the hash numbers for your system must be programmed into the keyfile, making it machine-specific.
Even so, there is one way to bypass the Atmel chip, which is to manually remove it and solder a new, unlocked chip to your motherboard; however, without precise reflow soldering tools and techniques, this would likely result in an unmitigated disaster that not only would void your warranty, but would very likely break your machine.
Coupled with Apple's FileVault full-disk encryption to protect data should the hard drive be removed, the firmware password in Apple's latest systems provides a very effective hardware security lock. Setting it up involves the same steps as for all of Apple's hardware, but these advances make it so that to change or remove it you need to either use the same firmware password utility and remember the previous password, or have it serviced.