Find my Mac passcode lock brute-force attack: What you need to know!

When Apple launched Find my Mac as an extension to their Find my iPhone system back in October of 2011 they included the ability to lock a Mac down so that it couldn't be accessed or rebooted into alternate modes. The lock, however, was implemented using a simple 4-digit passcode (PIN). That meant, with only 10,000 possible combinations, the passcode was susceptible to brute force attack. That's nothing new. It's been known since the start. What's new is that automated tools have now been developed to make the attack both easier and faster, and they're being reported on without a lot of context. So, is it something you should worry about?

A 4-digit passcode is the same basic type of protection offered on iPhone and iPad, but iOS devices are far more difficult to brute force and so far — outside of jailbreak — haven't been susceptible to automated attacks. Also, iOS offers the option for a much more secure, much stronger alphanumeric password to be set on the device.

With automatic login turned off on your Mac, entering the Find my Mac passcode will simply reboot the machine into the OS X login. That password should be more secure than a passcode anyway, and at the very least is an additional layer of protection.

An attacker with the physical access to your machine required to brute force a Find my Mac passcode also has the access required to crack the casing open, rip out the disks, and mount them on another, unlocked machine to access your data that way. That is, of course, unless you have FileVault disk encryption enabled. (FileVault, by the way, removes automatic login as an option.)

If you have both a strong OS X login password and FileVault encryption set up on your Mac, then you only ever have to use Find my Mac's lock feature if you've left your computer logged in and unattended and have a sudden reason to fear for its security. In that case, it works fine and any attacker intent and sophisticated enough to brute force the passcode would be greeted by the awesome OS X head-shake animation and a bunch of gobbledygook on the drive.

If you've inexplicably decided not to disable automatic login and use FileVault, and you have to use the Find my Mac lock feature to keep someone from getting into your computer, then, yes, a sophisticated attacker could either brute force your passcode or simply rip out the disk.

I'm not sure if Find my Mac's lock forces an OS X login even if automatic login is enabled — all my Macs have FileVault on so I can't test it. I'd be tempted to say even the option for weak, remote passcode protection on OS X is better than the lack of any similar option on other systems but, drive yank.

So, there are three take-aways here:

  1. You should, If you're worried about security, disable automatic login. You should also, if you have data you absolutely want to keep safe no matter what, turn on FileVault. That will stop anyone this side of a billion-dollar supercomputer from getting to your data even if they have physical access to your drive. Sure, that's less convenient but security is sometimes more important than convenience.
  2. Apple should provide the option for a stronger, alpha-numeric password for Find my Mac locks. Sure, that would increase the chances of a person using the lock and forgetting the password, especially in a panic. However, since passwords have to be confirmed, anyone who switches to the advanced option should be able to retain the password thy enter long enough to mark it down somewhere safe.
  3. People who publish articles on Apple security, especially in the post-SSL/TSL bug climate, should do their best to provide proper context and threat assessment along with it. Sure, informing people is vital. Scaring them disproportionately is not.

Are you using the OS X login and FileVault currently and, either way, does Find my Mac being restricted to a 4-digit passcode concern you?

Nick Arnott and Anthony Casella contributed to this article.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I had heard FileVault was risky, so I haven't activated it. But that occurred when I had Lion or Mountain Lion. Is it stable now with Mavericks?
  • Risky how? FileVault 2 was introduced with Lion and was a pretty significant redesign over FileVault 1. I haven't experienced any issues with it in Mavericks. The biggest risk I'm aware of is forgetting your password and losing your key. It's obviously very important to make sure this doesn't happen to you. What issues have you experienced with FileVault in the past?
  • Well, a support technician at the oldest Apple store in the world (First Tech in Mpls.) suggested avoiding it when I took my iMac in for some work a year or so ago. He said it wasn't worth the trouble and risky. So I haven't used it despite the fact, as Rene points out, it seems like a good idea. I have my (complex) master password committed to memory, so maybe it's time to reconsider. Not sure, though. I have two external drives that Time Machine backs up to, so my data is certainly vulnerable. On the other hand, my place not that vulnerable to theft. Thoughts?
  • I imagine support technicians see a lot of users come in who can't remember their passwords. Obviously the trick to not falling into that category is to memorize the password you're going to use, and as a backup, have your recovery key stored somewhere safe. If you have external drives for Time Machine backups, you should make sure that your backups are encrypted as well. There is a "Encrypt backup disk" option in your Time Machine preferences. Ultimately it's a judgement call. If your computer never leaves your home and you're not particularly worried about theft, you may not find it worth the hassle. Personally, my feelings are that I have no problem remembering my password. I also keep an external copy of my backup key just in case. I've had friends who have had laptops stolen and seen them scramble trying to figure out what passwords to change, what sensitive data they may have had on their, etc. To me, the peace of mind FileVault offers around hopefully never having to deal with that seems worth the small amount of work involved with setting it up.
  • "... — all my Macs have File Vault on ...
    ... Every Mac user should make sure File Vault is enabled." If it's good enough for you, Rene, then it's good enough for me.
    I'll enable File Vault ASAP. My old MBP and iMac were too slow for FV, but
    my new Haswell-based ones with SSDs apparently have hardware-level encryption.
    Here's an Apple best practices guide to FileVault 2: "Sure, informing people is vital. Scaring them disproportionately is not." But sensationalism generates web traffic. And web traffic is EVERYTHING.
  • File Vault wasn't great historically but File Vault II (the new version) has been rock solid.
  • "People who publish articles... should do their jobs and provide proper context" Amen Rene. That's why I get my tech news from sites like yours and Twit, not my local 'action news'
  • Great read! Sent from the iMore App
  • Promoting the use of FileVault to the average user is a bit irresponsible. What happens when the user forgets his or her password? That time machine backup that they'd like to use after their Mac is wiped, encrypted. I feel that unless you are a government employee or you've got some sort of job that requires you to travel with important secret documents then you should stay away from FV. If you must use FV please familiarize yourself with it, I've seen plenty of people turn it on because they thought it would be a good idea, they never understood it and it ended up being a big headache.
  • Better be safe than sorry. But "irresponsible"? That's silly. This is a cautionary post with good suggestions; no one is forcing you to follow suit.
  • Fair point. I modified the wording slightly. If your computer is an empty shell with nothing but a browser and email cache, you don't need FileVault. If you have corporate or personal secrets on your drive, things that would make your life difficult if they ever got out, you need FileVault. Most people will fall somewhere in between. I don't want to infantilize "average users", though. If a computer is too much for a person, an iPad is a great, perhaps more easily secured solution.
  • Agreed on your recommendations here, but you are far too glib about the TLS bug, saying we are in a "post"-this-bug world and that sources are being alarmist. Had Microsoft shipped this "gotofail" bug, they would have been justly pilloried for being careless with security practices. People are not being alarmist here because this sort of sloppy coding - an improperly formed if statement and a duplicate line that always gets executed - does not happen in a vacuum. It requires: A) Apples style guidelines to allow such blocks B) Apples internal code auditing to be non-existent or, at best, inadequate. It could not have shipped once, let alone for multiple versions, without both A and B being true. That it was caught by a third party's source analysis, and not by Apple, shows that Apple *still* is not checking. Bugs happen; every developer knows that. It is your process to find them and fix them that matters. Apple has fixed the specific TLS issue, yes, but lacking any publicly declared overhaul of A and B, it borders on irresponsible to deride those wondering about these practices W.R.T. as alarmist, or to imply we are safely past the issue. Rather, the Apple media should hold Cupertino's feet to the fire until they improve their tracking, review, and auditing processes. Without it, shipping a similar coding error (though probably not in this section) is just a matter of time. Sent from the iMore App
  • Not what I was saying at all. After any big item of news (be it SSL bug or antenna detuning) there's heightened awareness. People for whom technology is already scary are at a heightened sense of alert. With media's power comes responsibility. Informing that there's a bug or weakness or exploit absent framing the severity, likelihood, and extent of that bug, weakness, or exploit does more disservice than service. It propagates fear. Your points are all great. But they can be achieved without sensationalism, pandering, or panic. Also: What would you like to see in terms of code review for things like goto fail?
  • First off, Apple employs engineers a heck of a lot more talented than me. That said: 1) Enforced style guides favoring code clarity over saving keystrokes. Requiring braces at every if statement, for example, would have made this specific bug harder to write and simpler to spot. 2) Multiple audits before promotion to trunk. They might have done this, and the reviewer(s) simply missed it, too. 3) If human review and static code analysis cannot catch issues like these, then require tests using some mock framework to verify that a given code path calls/does not call collaborators. If the code is monolithic enough that it cannot be tested that way, require it be broken up so that it can be. 100% test coverage is almost impossible, but for security critical paths some extra effort is warranted. Apple has some of the best engineers around; in fact, I bet this got through because it is such a basic mistake that programmers of that caliber glanced right past it. That's why an automatic safety net is important, because even the best coders misstep sometimes. Nobody should panic that Apple writes this class of bug often, but it is troubling that they apparently have no or inadequate processes in place to catch them when they occur. Sent from the iMore App
  • Always use FileVault Sent from the iMore App
  • I use a secure password (14 characters) so the 4 digit PIN isn't a concern for me. The Filevault is interesting to me but I never turned it on for my drive. Is there anything I should know before doing it? special requirements? If a user has Time Machine backups even if they got locked out restoring from a backup previous to lockdown while you would lose somethings would still be somewhat of an option. Sent from the iMore App