Firmware Password Ignored (Security Flaw?)

Similar Messages

• Firmware password ignored

  Hello
  I set a firmware password but it is ignored at boot time and I can no longer boot from the DVD.
  I booted from the original Apple DVD (by holding the c key) and chose the firmware password from the utilities. After setting the password, I rebooted and boot succeeded without a password prompt. I have shutdown/restarted many times and not seen the prompt.
  I also can no longer boot from DVD. Booting while holding the c key no longer works.
  Note, if it means anything, that the 'nvram -p' command gives 'security-mode command'
  Can anyone help/advise.
  Thanks.

  I have a MBP and just set a firmware password a few hours ago. To make sure it took, I held down option key and also did the keys for open firmware (O + F), C for startup from CD/DVD and T for Firewire target disk mode and nothing worked as it should.
  Here's one option for you. Open Terminal. on the command line type: nvram -p
  This is the unix command for working with open firmware. The '-p' prints the values of the public variables to the terminal window. Amongst all the gibberish, look for the following line:
  security-mode [value here]
  If the [value here] on your system says 'none' then, for some reason open firmware didn't take.
  If the value is 'command' then it should be working correctly
  Also, if you have replaced your internal optical drive with an extra hard disk, make sure you have the volume you want to boot from set correctly in Startup Disk. Amongst the variables that Open Firmware stores is the startup disk. So if you have two internal drives and you set the firmware password on one and you normally boot your computer with the other drive, that could be why its not working for you.
  At the very least, I would take the time to try it one more time via the DVD utility. Startup off the DVD, turn off firmware password, restart the machine, startup off the DVD again and set a firmware password and then restart again. I would think it would be fine at that point.
  Two cautions:
  1) Be careful where and with whom around you use this command as the open firmware password you chose is not encrypted, it is only obfuscated. Unix is actually showing you your firmware password in hexadecimal notation so it could be deciphered by someone who knows how.
  2) While you can use sudo with nvram to change open firmware variables, I do not recommend it as I have not tried it and I don't know how your system would behave. So if you choose to do this you do so at your own risk.
  Let us know what happens.

• Screen Saver Password Protection - Security Flaw

  Although I have always felt OS X has been a solid and secure operating system, there continues to remain one painful, and blatant security flaw. I keep thinking that Apple will address the issue, but they certainly haven't done so thus far.
  Explanation:
  With any good security policy, and in any secure environment, there will always be a need to "lock" (password protect) a system when not in use. That is, after 'X' period of time, the user interface is password protected so as not to allow access to the system while not in use. This is probably the most common and fundamental security measure in any environment. However, Apple's (GUI) password protection falls short in a number of ways. The only current method of password protecting the user interface is through the Screen Saver. Although at a glance it appears functional, it is a poor design and is easy to disable.
  The screen saver configuration lies within two files; the ~/Library/Preferences/com.apple.dock.plist and ~/Library/Preferences/ByHost/com.apple.screensaver.<variable>.plist. It is especially important to note that both of these files are located in the users home folder, which gives them full access to the configuration files. There is absolutely nothing preventing a user from deleting these files, and thus, disabling the only mechanism to password protect the user interface. Giving the user the ability to disable or remove ANY security related configuration is a poor design.
  Now initially we thought we had a solution by setting the user immutable flag on the ByHost screen saver plist using chflags. This would still allow user access, but would prohibit them from deleting the ByHost plist. Well, it sounded good in theory. However, if ~/Library/Preferences/com.apple.dock.plist is deleted, you can say goodbye to your password protected screen saver, despite locking the screen saver plist. So naturally the idea occurred to me to set the user immutable flag on ~/Library/Preferences/com.apple.dock.plist. This works, but makes it impossible to modify the Dock. Needless to say, if the Dock can't be modified, there's no point in even having it.
  Now that isn't the only thing wrong with the screen saver password protection. You would expect that an administrator could unlock a users (password protected) screen saver, but you would also assume that the user was logged off as a result. Not in this case... If an admin unlocks a password protected screen saver for a user, they are now logged in as that user and have access to everything the user was doing when it was locked (email, spreadsheets, confidential information... anything). This is not the preferred method. If for some reason an admin needs to unlock a password protected screen saver, it should log off that user, not allow access to the user's session.
  Finally, the biggest flaw yet. With a recent update, the password protection doesn't even work, as indicated by several people in the following threads.
  http://discussions.apple.com/thread.jspa?messageID=2706417&#2706417
  http://discussions.apple.com/thread.jspa?messageID=1950444&#1950444
  http://discussions.apple.com/thread.jspa?messageID=2648700&#2648700
  I have personally seen this issue while developing our corporate OS X image. Despite any fix or workaround, the simple fact that this has occurred is disturbing. ...As if the design wasn't bad enough, it now has the potential to stop working entirely.
  Now don't get me wrong, I love OS X and prefer to work on it over any other operating system. Nonetheless, the current design for the "screen lock" is inadequate at best. For a large enterprise environment with stringent security requirements, it's far from sufficient. My hope in posting this is that someone from Apple acknowledges the design flaw and incorporates a more effective solution into the next OS.
  MacBook   Mac OS X (10.4.6)  

  One thing I forgot to mention is that "Workgroup Manager.app" is a part of the "Server Admin Tools" which can be downloaded free from Apple. Although it seems to be primarily intended to be used to configure OS X Server from an OS X Client machine, many of its functions can be used to configure the OS X Client machine itself, in the complete absence of OS X Server. Unfortunately, the 'mcx_settings' aren't really "image friendly" - as far as using them on OS X client is concerned, they are something that seem to need to be applied to user accounts individually (although it is possible to copy all of the settings at once so it isn't necessary to go through the whole configuration process for each setting for each user). I have tried tinkering and applying them to groups, but group members don't seem to automatically be restricted (I may be missing something). The "tools" are available here:
  http://www.apple.com/support/downloads/serveradmintools104.html
  I don't know if it would be any better than the screen saver "hot corner", but there is an option to lock the screen from the "Keychain Access" menu extra, which can normally be enabled through "/Applications" > "Utilities" > "Keychain Access.app", from its "Preferences". This setting is then stored in the "com.apple.systemuiserver.plist" file (ie independent of the "Dock"), but could in principle be controlled from 'mcx_settings' as well. The level of control seems to be incomplete - the user can still drag the item off of the menu bar, but it returns during the next login. However, it does provide convenient access to a method to lock the screen and keychains, and has a nice "padlock" icon so that its function is obvious. It is also potentially possible to assign a two-step keyboard shortcut to the "Lock Screen" item, but it would be somewhat less convenient than a direct key combo...
  One other note regarding the "admin" user's ability to unlock the screensaver. The configuration file allowing the "admin" user to do this is "/etc/authorization", under 'system.login.screensaver'. Currently, the "rule" is set to 'authenticate-session-owner-or-admin'. Changing it to 'authenticate-session-owner' would be expected to remove the "admin" user's ability to unlock the screensaver, and if "Fast user switching" is available, the "admin", being unable to authenticate, should be able to switch to the "login window" from the authentication dialogue. I haven't tested this at all in "Tiger", but in "Panther", there was apparently a problem with it (which is why it had slipped my mind since at the time it was rejected as a viable option) - the person who posts here as "LittleSaint" had mentioned some problem with user logins when set up that way but I don't remember what it was, and so can't test if it has been fixed in "Tiger" (not very reassuring, and I apologize). And again, this is a setting that an "admin" would be able to reverse for themselves. Also, should "Fast user switching" become disabled for some reason, and the screen saver kicks in and the user isn't available, it might be a hassle to get back into the machine (it might be possible to do something over ssh). Nevertheless, it might be something to look in to.

• IMessage password/Apple ID security flaw?

  I'm still able to sign into iMessage on my ipad mini using an old password/Apple ID.... Why is this and how do I fix it

  Sorry for the old bump.
  But my issue similar and a security flaw.  If I turn off imessages on my ipad, anyone can turn them on, enter the wrong password, and poof they work.
  How is that that I can enter ANY password and imessages works?
  Seems not secure at all.  If I go on my colleagues iphone, enter my apple id (my email - duh) and the wrong password, it works there too.
  How do I restrict this?

• Boot Process with active EFI Firmware Password

  I have a MacMini with Linux installed (for an embedded application) on the internal hard drive, and Mac OS X 10.5.6 available on an external Firewire / USB drive. The machine is a 1.83 MHz 2008 production unit with EFI version MM21.009A.B00 firmware installed (no later update is reported as available via the OS X Software Updater).
  The system normally boots from the internal (Linux) disk without user interaction when first powered up.
  In order to restrict users from starting the system from alternate devices, we activated an EFI firmware password. After doing so with the Open Firmware Password application on the OS X installer DVD (booted with option key and selecting the DVD icon, or with the C-key held), the system no longer automatically boots either of the two available hard disk devices. Rather a flashing file folder icon with question mark appears when the machine is powered up without any user interaction.
  With the EFI password active, it is necessary to hold the option key down, enter the password, and then select the desired disk device icon (either internal Linux or external OS X device) in order to boot the system. It appears that the system can no longer automatically select a boot device when started up, even if only one is available. This requires that every user of the embedded system must know the EFI password in order to start the system. This seriously compromises the protections that a user would expect to achieve by using the EFI password capability.
  Is this the expected performance of the firmware after the EFI password has been activated, or is this performance the result of a design flaw in the EFI code when the firmware password is active (i.e. is this a"feature" or a bug)?

  Welcome to Apple Discussions!
  The EFI firmware protection is there for people who work in environments where their machines must be secure from intruders, and secures information in event the machine gets stolen. If that sort of protection is too much for your needs, just setup your security and account preferences to log out when energy saver and/or screen saver is activated, and automatic log on is disabled. That's pretty good unless a person who steals your machine or has access to your machine has the original discs which came with the Mac, or newer retail operating system (up to the limits of the machine's hardware). So consider how much security you need, and you can ask the system to be that secure.

• Fatal Security Flaw in WRT54GS?

  Sorry I don't have the hardware revision handy.
  Firmware is 1.52.0.  Model is WRT54GS.
  I'm configured with WPA2-PSK/AES.  Broadcasting my SSID.  No MAC access filtering.
  HTTPS access only to the config pages.  Custom (not default) password.  Remote management disabled.
  Summary:
  The router simply "forgot" its assigned SSID and reverted to broadcasting as "linksys".
  It also ceased encrypting its broadcast.
  I was able to log in and change it back.  It retained many of the OTHER settings I had previously configured.
  What causes this?  Is it a known issue?  Is there a fix?
  Details:
  Two days ago, I noticed my client (laptop) could no longer see the usual SSID that I connect to on my home network.
  However, there was a new SSID in the area, named "linksys", broadcasting UNSECURED.
  Coincidentally, this new "linksys" access point had the exact same signal strength that my usual access point typically had.
  So, I connected to it, you know, just to see.
  I was only able to access the config pages at my custom IP address (not at x.y.0.1), prefixed with the "https://" scheme identifier.
  And it didn't prompt for a password.  Hopefully because it recognized the cookie my browser still carried from the last time I logged in to it.  But maybe because it had temporarily dropped ALL of its security measures...
  It was definitely my router.  Just, stripped of its usual encryption/authentication and its usual SSID.
  So, I switched the SSID back to what it usually is.
  And I turned the WPA2-PSK/AES encryption back on.
  The router "remembered" my WPA2 passphrase, which it helpfully displayed to me as plaintext when I pulled down the "security mode" dropdown menu and selected "WPA2 Personal".
  After re-configuring, it works as well as ever.
  Is this a known security flaw in the WRT45GS?  Because....it seems like a fatal one, as far as network security is concerned.
  Is it limited to one firmware release?  Is there a firmware upgrade to fix it?
  (Again, I regret not having my hardware revision handy.)
  Thanks.

  Thanks for the reply.
  Yeah, the initial configuration was done wired.
  Subsequent reconfigurations were done wirelessly, on the encrypted wireless, connected via https.
  Remote management was NEVER enabled (and remained disabled, even after the router's little spell of amnesia).
  This particular router has been up and (mostly) stable for something like three years.  For the past year, WPA2-PSK encryption ahs been enabled.  The present WPA2-PSK passphrase is NOT the same as the old WEP key.
  I'll assume (just for a moment) that nobody hacked the router.  The only reason my router would be intresting for anyone to hack is simply because it's there.  And there are half a dozen other WPA2-PSK networks and a handfull of WEP networks within shouting distance.  And, if it was hacked from the outside, that would also indicate a "fatal security flaw" in the WRT54GS...
  So, let's assume it just glitched out and forgot its own name for 12hrs.
  Tell me more about what happens to NVRAM as it ages.  Does it become less N(on) and more V(olatile) with time?
  I know the router got hit by a storm-related power surge about 9 months ago.  It was reset at that time, exhibited some strange behavior (not wanting to display the config web pages) and then it "settled down" after a day or two.
  While it's performed fine since then, it may have sustained some subtle sort of damage at that time.
  But no parameters were lost or altered in the NVRAM.  And there was no obvious surge-type event to precipitate it now.
  What's the life expectancy of these things anyway?  Is this an early warning sign that I should upgrade to new hardware?

• How do I set the firmware password on 10.7

  Hi
  How do I set the firmware password in Mac OS 10.7.2 (MacBook Pro) ?
  The Apple instructions only seem to go up to 10.5.x
  Thanks

  Firmware password is not much use as any thief can reset it by pulling out the memory chips and putting them back in again.
  The only real way to secure your data 99% is to use FileVault 2.

• Create password -router security

  Model BEFW11S4 wireless router, set up by my daughter a couple years ago, with no password. I've read that access passwords are wise for security, and to prevent your neighbors from using your connection. I have ZoneAlarm firewall and AVG antivirus, but apparently my router should also require a password for extra security?
  The router was set up on a Windows 98 computer, and replacement XP has been connected for a year w/no problems. I tried the web utility, but it didn't accept 191.168.1.1 password. The window to enter password wasn't the "XP" window, so maybe using a different computer than used for original setup is the problem?
  Also saw "firmware upgrades" mentioned, and don't know what this is about. Any advice regarding need for password, proper security settings, and how to do them would be greatly appreciated. Thanks for your time.

  for changing any settings on the router , follow these steps :
  1)connect the computer to the router
  2)open IE and go to http://192.168.1.1 . on the login screen...keep the username blank and the default password is "admin"....if it does not accept this , it means the router password was changed sometime....
  3)if u do not remember the password , reset the router for 30 seconds and do a power cycle...try "admin" in the password again...
  4)get to the router ui...go to the "wireless" tab and click on "wireless security" subtab....u can set up a security mode from here...
  5)for changing the router login password , go to the "administration" tab and change it..
  6)if u have a different kinda screen from what i am talking about....u will frind the wireless security settings on the set up page itself....and for changing the router password , click on the "password" tab and change it....

• BusinessObjects security flaw left users vulnerable to attack

  Audit found this web article "BusinessObjects security flaw left users vulnerable to attack" http://searchsap.techtarget.com/news/2240025968/BusinessObjects-security-flaw-left-users-vulnerable-to-attack?asrc=EM_NLN_13056439&track=NL-137&ad=804092
  and they were wondering if our installation of BusinessObjects was also vulnerable. I was not able to answer for sure, so I asked our BASIS team. They said that it is not clear from the article what components are actually affected or in what patch level this is corrected.
  Does anyone know specifically where the security flaw is?
  Thanks,
  ~Matt Strehlow

  Hi Denis
  thanks for the reply.
  Are you absolutely sure that the passage should not be in the file any more?
  I've checked now 3 different installations and I've even checked the axis2.xml in the war files I found (dated 04/22/2010) and they all do contain these two lines:
      <parameter name="userName">admin</parameter>
      <parameter name="password">axis2</parameter>
  The installation were BOXI 3.1 SP3, meaning we used the "merged" installation files that include the SP3. One of the installations I checked has even Fix Pack 3.4 installed.
  The only axis2.xml file I found that did not contain this passage was from a BODI  installation...
  am I missing something here?
  thanks for any help!
  MU

• Security Flaw: Screen Saver Authentication

  Hi,
  I have found a security flaw, it exists in both Panther and Tiger. If a system has 2 accounts, the first account being active and locked through a screen saver. The second account (if administrator) can type their username/password in the authentication screen, and it will unlock the first account. This works if the first account is an administrator or not. Any administrator username/password will authenticate any other account from the screen saver authentication box. I have proven this on 2 machines, a D2.5 G5, and a 1.6 iMac G5.
  Please contact me for further testing.

  it's not a TECHNICAL flaw, it is however a logical flaw, yes.
  Because admins are part of the sudoers files, one admin does have the permission to unlock another admin like that, the same as how when logged in with one account you can use another admin account to authorize the installation of software (why it's not necessary to be logged in with your admin account)
  The behavior I suspect you desire is the behavior Windows uses, where when you use an admin account to unlock a computer, it logs out the user who locked it (assuming the admin isn't the one logged in).
  I suggest you submit a feature request to Apple.

• Open Firmware/ Firmware Password

  Sorry, I hope this is the appropriate board for this question.
  I'm confused about the Open Firmware/ EFI password application.
  I restarted using the install DVD, then navigated to the Firmware Password App. I checked the box and filled the password.
  However, it seems that if I want to disable it, all I need to do is restart from the install DVD and untick the Firmware Password box, and that's it. I'm not even asked to put in the old password to make sure that I'm me, and not a thief or someone like that.
  Second, and this may be related, the restart while holding command-option-o-f keystroke to access the Open Firmware doesn't work. My MBP just continues to merrily boot up.
  Am I missing something here?

  However, it seems that if I want to disable it, all I need to do is restart from the install DVD and untick the Firmware Password box, and that's it.
  Yes, but doing so requires that you have either the firmware password or an administrator password for that computer. To increase security, disable automatic login from the Accounts or Security pane of System Preferences.
  Second, and this may be related, the restart while holding command-option-o-f keystroke to access the Open Firmware doesn't work. My MBP just continues to merrily boot up.
  That keystroke is for PowerPC Macs only.
  (50864)

• Security Flaw - Push apps opens the home screen on sleep?

  I'm sure this is a security flaw. I have my iPhone on the sleep mode. I pressed the sleep button and placed it in my pants. So no way I'm pressing the button and sliding the finger to unlock.
  After playing Words with Friends as one of the apps in question, I press the lock button. Seconds later my iPhone goes directly to home with an alert. No lock screen at all. I get the alert that says my friend made a move on the scrabble board.
  Anyone know of any other apps that have this security flaw?

  One more thing before you take it back to the store - try a restore. You will do this from within iTunes. Since you really don't have app data to concern yourself with, do a "restore as new". This will wipe it clean and reinstall the firmware. You can then sync to add everything back to it.

• Forgot firmware password on mac

  Hello i have never put a firmware password on my mac. But when it did a soft ware update it the mac froze, Then it restarted and now it is asking me for a firmware password. Can some one help me

  In making the Firmware Password secure, Apple does not provide a means for the user to reset or circumvent the barrier. If it were not so, then Firmware Password protection would be no protection at all.
  If indeed you are presented with a screen, such as Linc is showing, then your foremost option is to take the unit into an Apple Store Genius Bar to have them perform the necessary procedure to alleviate the situation.

• I have a macbook pro (13inch). I had a firmware password set on it and updated the firmware when apple update told me to. I cannot change the firmware password or remove it now.

  Hello,
  I have a macbook pro which had a firmware password set on it (security-mode = command).
  Update asked me to install updates and one of them was an EFI update. I proceeded and the macintosh booted just fine.
  I've tried changing the firmware password, and removing the password without success so far. It's almost like the nvram terminal command does nothing as far as security is concerned.
  Help would be appreciated!
  J

  Apparently the newer macbooks use a different utility than the older macbooks.
  setregproptool will ask for the current password, and nvram is not used for these anymore.
  J

• IPhone location tracker - still a security flaw?

  I hear a lot about a security flaw in the iPhone OS, allowing others to track the location of my phone without my consent and with no straightforward way to protect myself.  On the internet, I see semi-legal app's offered, said to track any iPhone, "just enter the phone number".
  First - is this still true?  I have updated to the latest iOS5.
  If not, what are the settings I need to be aware of?
  If yes, has Apple announced a plan to plug that security flaw?
  Short of jailbraking my phone and installing unauthorized software - what can I do about it?
  /Lars

  There is not, and never was, a security flaw in iOS that allows or allowed others tot track the location of the phone.
  The "apps" you see are generally bogus. They are "joke" apps. They can NOT do what they appear to do. It's simply not possible.
  ... unless ...
  If the phone is jailbroken, tracking apps can be installed. If your phone is not jailbroken, you have nothing to worry about. The only way anyone could track the location of your phone would by by accessing your iCloud account and using Find my iPhone. So long as you keep your password secure, this isn't an issue.  Oh... and Find my Friends if you've agreed to share your location with someone.