Sunday, July 03, 2016

I unbricked my MacBook

A couple of weeks back I wrote about how someone put an iCloud lock on a MacBook Air that I'd owned for over three years.  I was about ready to write the machine off and sell it for parts, but I couldn't do that until I had wiped the internal SSD because it contained personal information that I didn't want to fall into the wrong hands.  To do that, I needed some special tools so I could open the machine up, and an adapter so I could connect the SSD to a USB port once I'd gotten it out.  While I was waiting for those to arrive, I decided to take another whack at brute-forcing the EFI PIN using this handy-dandy utility.  It was a time-consuming process, made all the more time consuming by the fact that the Teensy3 that it runs on doesn't have any way to display which PIN code it is currently trying, so even after the machine was unlocked I still didn't know what the PIN code was.  I toyed with the idea of pointing a camera at the screen to keep track of when the unlock happened, but in the end I ended up just running the brute-force multiple times and doing a binary search to find the code.

Once I had the PIN, I was able to remove the EFI firmware lock, but I was still not able to boot from the original SSD.  Apparently, some of the things that Apple told me during the original debugging process were false (imagine that!)  As far as I can tell, there are two locks that you can put on a machine: an iCloud lock, and an EFI firmware lock, and my machine had both.  I was able to brute-force the EFI lock, but unfortunately my previous unsuccessful efforts to brute-force the iCloud lock had uncovered what seems to be a bug in the iCloud lock code: after a few dozen unsuccessful guesses at the iCloud PIN, the machine starts to disable itself for progressively longer periods of time before it will accept further guesses.  In my case, that period of time was (according to the information displayed on the screen) an hour.  But when I waited an hour, it simply re-cycled to the same screen, and still would not accept any further PIN attempts.  So I ended up wiping the hard drive and doing a clean re-install of Mavericks.  And this time, I bound the machine to my iCloud account and verified that I could lock it.  I could.

There was still one potential snag: it was possible that a machine could be bound to more than one iCloud account at once.  After all, if removing an iCloud binding really was as simple as logging in to a different iCloud account and turning on find-my-mac, that would make the lock feature completely useless against all but the most naive of thieves.  So I did the experiment: I created a second iCloud account for myself and tried to log in to it.  I could do that, but when I tried to turn on the find-my-mac feature from that account, I got this:



And that is the smoking gun.  At least on Mavericks, find-my-mac is trivial to disable and hence completely useless.  The only reason that someone else was able to lock my mac was because I didn't know that this feature existed, because I never use iCloud.  Find-my-mac is not a theft deterrent at all, it is a way for Apple to coerce people into using iCloud by allowed denial-of-service attacks to be launched against people who opt out.

There is one additional wrinkle: shortly before my machine was locked (like a week or two) I upgraded it to Yosemite.  Back when I was still dealing with Apple tech support they told me that there was no possible way that this had anything to do with the lock being placed, but I'm not sure I believe this.  The timing was just too close, and removing the lock from Mavericks just too easy, for this to have been coincidence.  I am pretty confident that Apple battened down the hatches somehow, but in order to figure that out I would have to re-upgrade the machine to Yosemite so I can noodle around with it, and I won't be making that mistake again.

But if there's anyone out there with a Yosemite machine who feels like doing this experiment (make two iCloud accounts and see what happens when you try to find-my-mac with both of them at the same time) please do let me know what happens.

No comments: