Security

Easy-to-Hack Mac Shows Need for Physical Security

I have been in IT and security for over 16 years now, and in all that time I have been almost exclusively a PC user. I have done serious work on a Mac only about 2 or three times in my career, and all of those were trying to figure out networking problems with them. I have never used Mac in my day-to-day life. However, I recently made the jump when my employer starting offering MacBook Pros to us geek-type employees. My wife just got an iPad and an iMac, and I thought they were pretty sweet, so I decided to try it out. If worse came to worse, I could just load VMware and run Windows 7, right?

But the point of this post is not my defection to Apple. It is the series of events that took place in getting my Mac.

When it came time to get my Mac, I found out that my helpdesk had accidentally ordered another Dell for me. It was an understandable mistake since most of the staff run Dells or some other PC-type machine, but I really wanted my Mac, even if I had to wait for another week or two to get it ordered and shipped. Well, it turns out that I didn't have to wait. My boss called me up and said that one of my coworkers had just received a brand new MacBook Pro before he left the company about a month ago, and that he would just ship it down to me. Problem solved, right? Well, not exactly.

The problem is that my boss didn't know what the guy's password was, we couldn't get in touch with him to ask, and my boss didn't have an OS X disk handy to reload when he was shipping it (no one knows where the disk that came with the Mac went). So when he shipped it, it was with the caveat that I might have an unusable machine for a while.

Well, I did not want to accept that answer because I was ready to play with that Mac. And because Google is my friend (especially now that they are mad at China), I decided to see if anyone had figured out how to hack a Mac when they had physical access. And after an exhaustive and tiring search that took all of about 2 minutes, I found a solution (I won't post the link here at Computerworld, but I did post it on the show notes on my podcast that Jim Broome and I recorded last night). And that solution took me about 3-4 minutes to implement, including boot time on the MacBook. I literally had to issue three commands after I booted into single-user mode (it boots into the CLI), and I was welcomed with the "Welcome in 50 languages" screen after I rebooted. I created my admin user, and I had complete and total access to everything on the box. Wow...

So is the point to this article that I discovered some new uber Mac hack? Obviously not, since I googled it to find the answer. Am I saying that Mac security sucks? Nope (though I am sure I will get flamed for this anyway). In fact, I mentioned in the podcast last night that with a bootable CD with specialized software, I helped my sister-in-law crack into a Windows XP laptop not too long ago. It took about 5 minutes after she booted up with the CD. It was a little more complicated of a process, but the time to crack it was not significantly more than the Mac.

The point is that physcial security is king (quoted from Jim on the podcast). The manufacturer often makes a risk decision on physical security that assumes physical access is going to be limited to authorized persons. And even if the manufacturer DOES lock it down physically, the bad guy has a lot of time to crack it if he has the box on front of him with uninterrupted access. Basically, if someone steals your stuff, you have a lot of other issues to worry about.

So maintain your physical security. Just like you wouldn't leave your datacenter door open for anyone to walk through, don't leave your laptop alone on the table in the Starbucks while you go order coffee. Keep track of your stuff. And maybe think about encrypting your disk on laptops? :) Do your due diligence in protecting physical access. Because once the bad guy has his grimy fingers on your stuff, it is almost a forgone conclusion that you can kiss your data goodbye.

Subscribe to the Security Watch Newsletter

Comments