

Automated brute-force attack against the EFI PIN (2013) - cgtyoder
http://orvtech.com/atacar-efi-pin-macbook-pro-en.html

======
userbinator
_after three weeks of being bought the seller desided that he wanted it back.
He expressed this by locking it with a 4 digit PIN and a message that stated
“Give me back the laptop and give you back the money”, with out calling or
anything._

In other words, the seller somehow had remote control of the laptop and locked
it remotely? Things like this are why you should _always_ reformat and
reinstall all the software on computers you buy...

Bruteforcing it is the long way, the fastest way would be to use an EEPROM
programmer to clear the EEPROM and rewrite the BIOS. This can usually be done
in-circuit without any soldering with a little clip that goes onto the chip. A
lot of laptop repair shops have this setup. Some of the newer models store the
password in TPM, which caused the shops to initially replace the TPM with a
new blank one but some RE later revealed that many (not all) can be cleared in
the same way as before.

The fact that BIOS/EFI passwords can be easily cleared must be one of the
worst-kept secrets in the computer industry - the companies will often
officially say that there is no way to reset them and that the whole
motherboard has to be replaced in a not-so-successful attempt to propagate the
myth that this protection is so secure that even they can't bypass it.

~~~
thefreeman
I don't think reformatting would have helped in this scenario (in fact
according to the blog post, he believes it made it work).

I don't own any macs, but I think this is some sort of "remote lock" function
provided by apple.

It sounds like the buyer did not re-register the device with their own Apple
ID (assuming that is possible).

~~~
wyager
>It sounds like the buyer did not re-register the device with their own Apple
ID (assuming that is possible).

This is correct. You are supposed to set up your own iCloud account on the
device, to make sure that no one else (except maybe Apple) has remote control
over the device.

Actually, I don't remember reading about that in the Apple security
whitepaper. Does Apple claim that they can't remote-lock your device without
your password?

------
orvtech
Well saw a spike in traffic to my site and traced the source to HN... Let's
hope the migration from WordPress to Pelican pays out.

As mentioned by some of you this is from early 2013 but the code still works.
Furthermore it has been tweaked (the timeouts and keypress duration) to be
compatible with most Macs yet as efficient as possible.

I also did an iCloud Padlock version [http://orvtech.com/ataque-fuerza-bruta-
pin-icloud-en.html](http://orvtech.com/ataque-fuerza-bruta-pin-icloud-en.html)
but it takes way longer.

I am working on a version that using a Raspberry Pi + Arduino should work on
any BIOS, EFI, OR PIN lock for that matter.

~~~
madeofpalk
For what it's worth, if you can produce some sort of proof-of-purchase, you
can take it to an Apple Store and they can remove the EFI Pin. They tend to be
pretty reasonable about this most of the time.

~~~
orvtech
The buyer tried this but he purchased it from one of his contractors so they
did not do anything on writing.

------
jsumrall
If the buyer had reformatted the HD immediately after buying it, would that
have made it impossible for the seller to lock it? Could the buyer have
changed the account which it was linked to without going through the seller?

Of course a bill of sale would also have been enough to get Apple to help,
according to another comment. But even that is not hard forge.

~~~
orvtech
I think so. The correct procedure would have been to assign another iCloud
account and assign your self another PIN (lock it with your own PIN)... Then
reformat it

------
RKearney
Note this is from February 2013.

------
mschuster91
Interesting why Apple did not implement a forced delay (i.e. first fail -
immediate, second fail - 5sec wait, third fail 25sec, ...)

~~~
orvtech
They did it for the iCloud lock which can be circumvented by automatically
rebooting the Mac every X tries.

------
chrisBob
It appears that the buyer didn't consider that they bought a stolen MBP. My
first guess after reading this is that the real owner discovered their
computer was stolen.

This is a good reason to test and change the iCloud account while the seller
is standing there. I am not sure about the laptops, but an iPad/iPhone needs
the same pin to change the account it is associated with, so you get some
immediate evidence if you are buying something stolen.

~~~
orvtech
The message on the first lock screen (iCloud padlock) read "Devuelve me la
laptop y te devuelvo el dinero" which means "Give me back the laptop and I
will return your money".

