September 5th, 2010
Open Firmware Password – a feature of Mac OS X Security
Firmware Password, by Albel.Suppose someone gains access to your computer, all is not lost yet. There are ways to prevent a person to prevent different types of access. Unfortunately, there are things that you can’t stop. A malicious user can a whole machine to steal, or open it and steal sensitive parts such as hard drives or other storage device. Some computer cases have latches or places where theft backups can be installed. These mechanisms can attacker much more difficult for the casual theft. Theft techniques differ from machine to machine, consult the documentation that came with your computer.
Your Mac’s bootstrapping-process is a so-called “open firmware controls.” Open firmware is a small program on a chip in your computer that contain the boot process controls. Open firmware was designed many years ago and is for many different computer platforms, including Sun and Apple Macintosh series. It is similar to a BIOS on a PC, but offers much more functionality and expandability than a typical BIOS implementation.
Newer versions of Open Firmware password-protect your boot process. To make use of this functionality, you must be running Open Firmware version 4.1.7 or newer. You can find what version your machine is running by launching System Profiler and looking for the Boot ROM Version section. If you need to upgrade your Open Firmware, go to http://www.info.apple.com/ and search for the correct upgrade based on your platform. Alternatively, firmware updates are also available on your Mac OS X 10.2 installation CD.
After you have updated your machine, download the Open Firmware Password application from http://docs.info.apple.com/article.html?artnum= 120095 or install it from the Mac OS X 10.2 installation CD. This application allows you to password-protect certain functions of Open Firmware when the system is being booted, including
- Booting to CD-ROM, NetBoot, or a specific disk
- Booting in verbose mode
- Booting into single user mode
- Booting to the Open Firmware prompt (Command-Option-O-F at startup) and issuing commands
Figure 3.2 shows the Open Firmware Password utility in action. Be sure you use a difficult-to-guess password.
These functions are in a lab, if you want a normal start automatically great, but on a CD to boot would be carried out only by a malicious user. Unfortunately would simply bring many people like to a higher level of security through the query of a password when you boot the operating system to have. This functionality is similar to a POST password on a PC. Although Apple not not provides an interface for configuring directly a boot password, open firmware support this approach.
nvram is a program accessible via the Terminal program that displays the contents of many variables stored within Open Firmware. Running it as a normal user allows you to view the public values and not modify any of the values. Running it via sudo nvram prints any private fields, such as the password, and allows modification of the Open Firmware contents. The –p flag prints the contents of Open Firmware:
bash-2.05a$ sudo nvram -p
Password:
... a great deal of output...
security-mode command
... more output...
security-password %e8%cc%d2%cf%c1%c1
Rather than use the nvram command, a machine can be booted directly to the Open Firmware prompt. Pressing Command-Option-O-F as a machine is being booted, bypasses the normal boot process and provides you with a prompt that directly controls Open Firmware. The security mode can be reset to none by issuing the setenv security-mode none command at the Open Firmware prompt. printenv displays all Open Firmware variables. Typing reset-all reboots the host after resetting the password. For a complete discussion of Open Firmware commands, see Apple Tech Note 1061 at http://developer.apple.com/technotes/tn/tn1061.html.
The security mode using the Apple open firmware password is set to command. It provides the functionality listed above. The security mode to the original value with your computer shipped, sudo nvram security mode = “none”. To enable the password protection for all open firmware activities, including the standard boot hard drive, set the security mode full. This forces a user, to boot the machine that open firmware password know wants access to the normal operating system. To set the password brute force unlikely to have a password, is easy to guess that and contains a variety of characters.
NOTE
The security password displayed by thenvramcommand is not a cryptographically secured password. The password is simply displayed in its hexadecimal representation. This is merely an obfuscation of the password, not actual protection. Be aware that a user with administrative privileges can easily decrypt this password and use it later without your knowledge.
Not sure the host in a way can be booted, what you intend to open firmware password protection. An attacker who can the computer case a password reset can Pierce. By adding or removing memory, the host in a mode where it is possible, will provide by pressing command-option-PR at boot time reset the PRAM. Once the PRAM three times resets the password protection is removed. This trait in the open firmware architecture highlights the reason for the physical locks on your hosts.
Also, a utility called FWSucker allows an attacker, once logged in to a host, to harvest the Open Firmware password. Even guest users can decrypt the password. Again, Open Firmware password protection must be treated as a tool in protecting your host, not absolute protection.
Responses to “Open Firmware Password – a feature of Mac OS X Security”
Leave a Reply