Mac OS X Security: Open Firmware Password

Open Firmware Password
Assuming someone gains access to your host, all is not lost. There are ways to prevent a person from gaining various types of access. Unfortunately, there are things that you can't stop. A malicious user can steal a whole machine or open it up and steal sensitive parts such as the hard drive or other storage media. Some computer cases have locks or places where antitheft devices can be attached. These mechanisms can make theft much more difficult for the casual attacker. The antitheft techniques differ from machine to machine, so consult the documentation that came with your computer.

Your Mac's bootstrapping process is controlled by something called Open Firmware. Open Firmware is a small program contained on a chip within your computer that controls its boot process. Open Firmware was developed many years ago and is used for many different computing platforms, including Sun and Apple's Macintosh series. It is similar to a BIOS on a PC but provides much more functionality and extensibility than a typical BIOS implementation.

Newer versions of Open Firmware password-protect your boot process. To make use of this functionality, you must be running Open Firmware version 4.1.7 or newer. You can find what version your machine is running by launching System Profiler and looking for the Boot ROM Version section. If you need to upgrade your Open Firmware, go to http://www.info.apple.com/ and search for the correct upgrade based on your platform. Alternatively, firmware updates are also available on your Mac OS X 10.2 installation CD.

After you have updated your machine, download the Open Firmware Password application from http://docs.info.apple.com/article.html?artnum= 120095 or install it from the Mac OS X 10.2 installation CD. This application allows you to password-protect certain functions of Open Firmware when the system is being booted, including

• Booting to CD-ROM, NetBoot, or a specific disk
  
  
• Booting in verbose mode
  
  
• Booting into single user mode
  
  
• Booting to the Open Firmware prompt (Command-Option-O-F at startup) and issuing commands

Figure 3.2 shows the Open Firmware Password utility in action. Be sure you use a difficult-to-guess password.

These features are great in a lab environment when a normal unattended boot is desired, but booting to a CD would generally only be done by a malicious user. Unfortunately, many people would like to have a higher degree of security by requiring a password at boot time to simply bring the operating system up. This functionality is analogous to a POST password on a PC. Although Apple does not supply a tool for directly configuring a boot password, Open Firmware does support this concept.

nvram is a program accessible via the Terminal program that displays the contents of many variables stored within Open Firmware. Running it as a normal user allows you to view the public values and not modify any of the values. Running it via sudo nvram prints any private fields, such as the password, and allows modification of the Open Firmware contents. The –p flag prints the contents of Open Firmware:

bash-2.05a$ sudo nvram -p
Password:
... a great deal of output...
security-mode command
... more output...
security-password %e8%cc%d2%cf%c1%c1

Rather than use the nvram command, a machine can be booted directly to the Open Firmware prompt. Pressing Command-Option-O-F as a machine is being booted, bypasses the normal boot process and provides you with a prompt that directly controls Open Firmware. The security mode can be reset to none by issuing the setenv security-mode none command at the Open Firmware prompt. printenv displays all Open Firmware variables. Typing reset-all reboots the host after resetting the password. For a complete discussion of Open Firmware commands, see Apple Tech Note 1061 at http://developer.apple.com/technotes/tn/tn1061.html.

The security mode set by the Apple Open Firmware Password application is set to command. This provides the level of functionality listed earlier. To set the security mode to the original value that shipped with your machine, execute sudo nvram security-mode="none". To enable password protection for all Open Firmware activities, including booting to the default disk, set the security-mode to full. This forces a user who wants to boot a machine to know the Open Firmware password to access the normal operating system. To make brute forcing the password unlikely, be sure to set a password that is difficult to guess and contains a variety of characters.

NOTE
The security password displayed by the nvram command is not a cryptographically secured password. The password is simply displayed in its hexadecimal representation. This is merely an obfuscation of the password, not actual protection. Be aware that a user with administrative privileges can easily decrypt this password and use it later without your knowledge.

Password-protecting Open Firmware does not ensure the host cannot be booted in a manner counter to what you intend. An attacker who can open the case of the computer can force a password reset. By adding or removing memory, the host is put into a mode where it is possible to reset the PRAM by pressing Command-Option-P-R at boot time. Once the PRAM is reset three times, the password protection is removed. This quirk in the Open Firmware architecture underscores the reason for physical locks on your hosts.

Also, a utility called FWSucker allows an attacker, once logged in to a host, to harvest the Open Firmware password. Even guest users can decrypt the password. FWSucker is available from http://www.msec.net/software/. Again, Open Firmware password protection must be treated as a tool in protecting your host, not absolute protection.

Potter, Novell, and Wotring. MAC OS SECURITY, ©2003 New Riders Publishing, Reproduced by permission of Pearson Education,Inc., Publishing a New Riders Publishing. ALL RIGHTS RESERVED. Go Here to buy this book at a 30% discount

Navigating and Organizing in List View

Using the Command key to find the path of your folder

Unix Passwords & Security

More...