
Apple EFI firmware passwords and the SCBO myth - hkr_mag
https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/
======
dogber1
Apple is doing a much better job than all the rest of the PC vendors. Even
those vendors that I haven't published keygens for [1] have just stupendously
unsound bypass mechanisms for BIOS passwords.

[1] [https://dogber1.blogspot.com/2009/05/table-of-reverse-
engine...](https://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-
bios.html)

~~~
userbinator
Nevertheless, physical access still means it's game over; and I consider that
a feature, not a bug. Given that, it's actually a little amusing that Apple
went to all that effort for something that can be defeated with nothing more
than a full BIOS reflash.

~~~
Sidnicious
Maybe not so amusing! As far as I know, you’ll need to take the machine apart
to reflash it, plus special hardware — because when a firmware password is
set, a Mac requires the password to choose a different boot disk.

with this feature, Apple HQ can give a service center the ability to clear a
particular firmware password without giving them a universal backdoor
(hardware _or_ software).

~~~
kogepathic
> As far as I know, you’ll need to take the machine apart to reflash it, plus
> special hardware

This doesn't take very long. Maybe 5 minutes to disassemble the machine.

As for hardware, you can flash SPI chips using a Teensy and a clip chip. [1]
The total cost of parts is under $30.

Incidentally, I highly recommend investing in one of these if you're doing
firmware development for routers. It's so much easier to flash a backup than
muck around with TFTP.

> because when a firmware password is set, a Mac requires the password to
> choose a different boot disk.

This is hardly unique to Apple. Most PC laptop manufacturers also disable
changing the boot device or choosing a temporary boot device when a setup
password is enabled.

> with this feature, Apple HQ can give a service center the ability to clear a
> particular firmware password without giving them a universal backdoor
> (hardware or software).

Um, this is how it works for PC firmware passwords as well. Unless there is a
keygen available, most modern implementations use a hashed value from the
serial number or hard drive as the master unlock password. It's unique to the
laptop being unlocked.

[1] [https://trmm.net/SPI_flash](https://trmm.net/SPI_flash)

------
userbinator
_These could be insiders working at Apple support centers or even Apple
itself._

It makes me somewhat happy in a weird way to think that, even in notoriously
locked-down and secretive companies like Apple, there are individuals who
don't believe in and subvert the company's attempts to have sole control of
its products. We have these individuals to thank for schematics, parts, and a
lot of other material that feeds the third-party repair industry.

~~~
Bluestrike2
I'm not so sure the people selling SCBO files are the ones we'd consider the
good guys. Or at least not based on their most likely buyers.

~~~
raverbashing
Correct, they're most likely allowing stolen computers to be used

Makes me wonder if their SCBO generating system is connected to their stolen
serial number db (probably not)

~~~
userbinator
_they 're most likely allowing stolen computers to be used_

Also those which have been recycled, or which someone has locked out
accidentally, or deliberately _to scam someone_ (
[https://news.ycombinator.com/item?id=7993435](https://news.ycombinator.com/item?id=7993435)
), etc. Used computers from companies often have BIOS passwords that no one
bothered to clear before sending them off. Not every computer with a password
its current owner doesn't know is a stolen one. That's why I think this is a
good thing --- I believe in the fact that if you physically own something,
regardless of how you came to own it, you should truly "own" it.

~~~
raverbashing
Yes, I know there are legitimate cases of resetting the BIOS password

------
joelhaasnoot
This article is the kind that makes me sit down with a cup of coffee and read
it top to bottom, even though I don't understand all of the low-level
assembler details (but it's understandable without that). Security is
important for everyone, not just security researchers.

------
thought_alarm
Can someone please cut me to the chase?

~~~
__david__
Apple can create a file to reset the flash password (it does not require
tampering with the physical flash chip). This password reset file is RSA
signed, so third parties can't create one from scratch unless they have stolen
Apple's private key (unlikely), or have contacts inside Apple willing to make
the file for them (more likely—all it takes is one unscrupulous employee with
access to the reset file generation program).

------
SCBO
What the hell does _SCBO_ even mean?

~~~
kalleboo
Dunno but Apple's EFI firmware files use the extension _SCAP_

------
mschuster91
Hmm... what about bugs in the USB / FireWire implementation of the EFI?

Or the good old FireWire DMA trick?

~~~
duskwuff
With the exception of the non-Retina MacBook Pro (which is due to be
discontinued any day now), none of Apple's computers have FireWire anymore.

Even when they did, enabling a firmware password disabled FireWire DMA, even
after boot. (And I'm not sure it was ever active during preboot.)

------
kalleboo
I wonder if we can expect this to change if Apple add a TouchID reader (and
accompanying Secure Enclave) to the next generation of MacBooks

------
sigjuice
TLDR? EFI password protection broken or not?

~~~
developer2
Apple has a backdoor for resetting firmware passwords via a special unlock
file that must be cryptographically signed using Apple's private key(s).

In theory only Apple employees can sign the unlock files. How many employees
have access to sign these unlock files? 10? 100? Every low-level employee?
There may be some "bad apple" employees selling the signing of unlock files,
some social engineering to trick Apple into providing signed files they
shouldn't be, or a vulnerability the researcher has not found that allows
attackers to bypass the public-key crypto implementation.

~~~
dogma1138
Since it's likely that every apple care center can perform this unlock there
is a very good chance that there is a machine in virtually everyone of them
that also has a service lab that makes these files.

The number of people that can unlock it is probably quite high, this isn't
that different than removing an apple id from the device you need to go to the
apple store with the device and proof of purchase and they do it for you.

~~~
Sidnicious
Last I heard, service centers have to request these files from Apple on a
case-by-case basis, so that only a small number of people need the ability to
generate them. All of the complexity (writing a nonce to flash when the
firmware password is changed, etc.) exists to make it easy for a service
provider to apply an unlock _when authorized_.

I’d make a large bet that the same is true for removing Apple ID activation
locks from devices.

~~~
developer2
Even if the employees capable of directly signing the files make up a very
small group, they would probably be authorizing over the phone or a similar
indirect route. This opens the door to social engineering by anyone, employee
or not, who knows what number to dial and what information to provide. The
tech would be authorizing the file without seeing the customer's device and
proof of purchase themselves.

To foolproof the system, you would need less than a dozen people trusted with
the ability to sign the files, and require the device and proof of purchase to
be shipped to them rather than allowing unlocks to be authorized remotely.

It's unfortunate that the last line of defense against a stolen machine, the
firmware password, has a backdoor. I'd have expected a firmware password on a
MacBook to be just as difficult to bypass as an iPhone's passcode. Apple
refuses to unlock phones, but will gladly remove a firmware password on a real
machine. Disappointing.

~~~
Sidnicious
The OS X equivalent of an iOS passcode is FileVault. Its current incarnation
(v2) uses full disk encryption and doesn't have a (known) backdoor. (v1 used
per-user encryption but didn't protect the rest of the disk, and v3 might use
AFS to encrypt the whole disk in a way that users can only decrypt their own
data and shared areas of the filesystem, not other users' data.)

Firmware passwords are more like Activation Lock for iOS. They make it harder
to reuse a stolen computer and stop some less-invasive tampering, but don't
offer any guarantees about protecting your data.

