Even with robust security software installed on a Mac system and Apple's efforts to prevent unwanted tampering, someone with brief physical access to your Mac can bypass security measures by booting to alternative volumes or loading in Single User mode. If this concerns you, you might consider locking the system's firmware.
Locking the firmware prevents the system from accepting boot arguments and loading in modes that might allow access to sensitive data. These include Single User mode, in which the system drops you to a command line with root privileges, and Safe mode, in which nonessential and third-party system services (including security options) may be disabled at startup.
Another means of bypassing OS X security measures is to hold the Option key at startup to view the boot menu and select a secondary volume such as an external USB drive to boot from, and subsequently access any file on the internal boot volume. However, locking the firmware also makes it so someone would need the firmware password to access the boot menu.
In addition to locking down the Mac's boot environment, the firmware password prevents resetting hardware variables like the PRAM. If you need to perform these actions, then you can always disable the password temporarily. Unfortunately in older Mac systems a firmware password could be bypassed by making even the simplest hardware changes to the system (for example, removing a RAM module); however, starting with Mac models released in 2011, Apple's firmware passwords now require servicing in order to be bypassed, making the password a far more effective security system.
To set up a firmware password in OS X, you must use Apple's Firmware Password Utility. It's located on the OS X recovery volume, so the default way to access this tool is by first booting to this volume, and then selecting it from the Utilities menu.
If your system cannot boot to the recovery partition either because of an error on the volume or because you have set a firmware password and have forgotten it, then you can still access the utility from your standard boot volume by doing the following:
OS X 10.7 Lion or greater
- Enable the Debug menu in Disk Utility by opening the Terminal (in the /Applications/Utilities/ folder) and running the following command (copy and paste it):
defaults write com.apple.DiskUtility DUDebugMenuEnabled 1
- Open Disk Utility and choose "Show every partition" from the new Debug menu, and then mount the hidden Recovery HD partition by selecting it and clicking the Mount button in the toolbar.
- Go back to the Terminal and run the following command to load the recovery disk image (copy and paste it):
open /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg
- In the window that opens, go to the Applications/Utilities/ folder and locate the Firmware Password Utility.
- Follow the instructions in the utility to set or reset the password.
OS X prior to 10.7
- Insert your OS X installation DVD.
- Open the Terminal utility and run the following command (copy and paste it):
open /Volumes/Mac\ OS\ X\ Install\ DVD/Applications
- Open the Utilities folder in the window that appears, and locate the Firmware Password Utility.
- Follow the instructions from the utility to set or reset the password.
Questions? Comments? Have a fix? Post them below or
Be sure to check us out on Twitter and the CNET Mac forums.