Fun with Apple EFI Firmware Passwords

I read somewhere that Apple uses weak encryption on its firmware passwords for Intel/EFI based computers, so I decided to take a look at it while on a long flight. I looked around for more specific discussion on the topic and didn't find anything, so I'll share what I found along with a tool I wrote to automate the changing and decrypting of the password. I wouldn't consider the method that they employed encryption per se, but rather an obfuscation of the password. In either case, what they did is certainly not cryptographically secure. It's not immediately clear to me why they didn't just MD5 the password or something... the nvram appears to have sufficient space to store such a hashed value.

Tested with: OS X 10.5.6/1st Gen (Core Duo)/Macbook Pro & OS X 10.5.6/Core 2 Duo/Macbook Pro.
Useful for: pen tests, lab deployment
Disclaimer: I take no responsibility with what you do with this information. Messing with the nvram can be potentially very serious business. Don't contact me if your mac stops booting.

The method I employed requires root access, either via the root account or single user mode. In a pen test scenario, it may be possible to escalate to root via an exploit (as opposed to password compromise). If the firmware password is the same or similar to another password in use, this may allow for further escalation of privilege / decryption of files / access to other machines / etc. In a lab deployment scenario, it may be desirable to set a firmware password on deployed machines. This process would be more easily automated with a CLI program like the one I'm providing. Of course, there is the OFPW tool, but that was designed for the older Open Firmware and I've had problems running it on under Leopard/EFI and am unclear as to whether or not it supports the new hardware. The OFPW binary seems to be unnecessarily elusive and documentation even more so.

Here's now the obfuscation works:

  1. a <= 255 character ASCII string is accepted by Firmware Password Utility
  2. string is viewed as binary (ASCII decoded)
  3. every other bit is NOT'ted, beginning with a NOT (i.e. NOT, passthru, NOT, passthru, etc)
  4. resulting bitstream is stored as the password.
You can query the current password via Terminal (hex-ASCII encoding , %-delineated):
sudo nvram -p
... or you can get the contents of nvram in XML with the password in base64:
sudo nvram -x -p
Let's run through an example. We'll set our firmware password to:
jh376ds8
... which is a fairly random ASCII string. Let's interpret it as ASCII and translate to binary:
01101010 01101000 00110011 00110111 00110110 01100100 01110011 00111000
... now we apply the magic formula of NOT'ting every other bit, beginning with an initial NOT:
11000000 11000010 10011001 10011101 10011100 11001110 11011001 10010010
... then we hex-ify it:
c0 c2 99 9d 9c ce d9 92
... and finally add '%' delimitors:
%c0%c2%99%9d%9c%ce%d9%92
... now we run:
sudo nvram security-password=%c0%c2%99%9d%9c%ce%d9%92
... and our firmware password has been updated to jh376ds8.

Obviously the reverse could be employed to reveal a firmware password.

Note: there are three security levels included in Apple's EFI:
none: Firmware password is ignored, all boot actions allowed (single user, boot off external, etc). This is a default setting.
command: Firmware password enforced if user requests to boot off another device by holding down 'alt' during boot. Single user, target disk mode, etc disabled.
full: All actions are disallowed, unless correct password is entered (including normal boot to blessed drive).

Only ASCII characters with decimal values between 32 and 127 (inclusive) are allowed and the password cannot be longer than 255 characters. If the password is empty, Apple's GUI utility actually stores "none" as the password, so I would recommend not using "none" as a password.

Get the code

Takeaway: if you're using an EFI password on your Apple computer, don't use that password for anything else. It is easily recovered (granted with root access), but even this recovery could allow for easy future access or further compromise.

15 comments:

human2 said...

I know security through obscurity isn't real security, but it still would have been nice to have not posted this info.

Paul Makowski said...

I'm a fan of full disclosure. Perhaps now Apple will have more incentive to store firmware passwords in a secure manner. Had I not posted this explanation/code, the vulnerability would still be there. Not talking about something never fixes it - it just puts it into the back pocket of script kiddies. It's this logic that's behind encryption standards being open and vetted by the community.

As a side note, I posted this tool on Apple's system-imaging mailing list, so I believe Apple is aware of it as well. I'm not trying to hide anything here, rather I'm giving a real world example to fellow pen testers and am encouraging Apple to release a better product, while at the same time also providing a service to lab administrators.

Having said that, I definitely understand where you're coming from - there are many people who do not like full disclosure. For better or for worse, I'm not one of them.

Miles said...

"it still would have been nice to have not posted this info."

That is like closing your eyes, covering your ears, and shouting, "LA LA LA, I can't HEEEEEAARR you!"

Which is the approach Pogue took in his OS X book regarding firmware passwords:

http://www.tinyapps.org/weblog/mac/200605110700_open_firmware_password_hack.html

As Paul says, pretending the problem doesn't exist only helps the script kiddies.

James said...

I would like to say that you really made my day, it's wonderful when you just look around the web
and find something like this, reminds me of that ''How to make a dinner for a romantic...'' by Elsa Thomas,
you're a wonderful writer let me tell you!!! ñ_ñ

Buy Viagra
James Maverick (maverickhunterjames@gmail.com)
3453 Rardin Drive
San Mateo, CA 94403
Project Manager
650-627-8033

male said...

For men who want bigger, harder, longer-lasting erections, there's now VigRX Plus™, a fresh twist on the already popular VigRX™, but designed to further enhance men's sexual functioning with the addition of three exciting new ingredients: Damiana, Tribulus, and Bioperin. Doctor endorsed and rated #1 for results by clients of penis enlargement consumers. rated two penis pills is vimax. if you find about male enhancement this products is the best and proven to work, there products have money-back guarantee in effectiveness and result.

netde said...

クレジットカード現金化

LauraStarBene said...

Nice post! Thanks for sharing!
Buy Viagra

big said...

It was very interesting to read.
serve as a reference
creditcard genkinka creditcard shopping

big said...

Excellent site, keep up the good work my colleagues would love this.
shopping genkinka

Movies Gallery 2011 said...

Such a wonderful post. Thanks for the share. It was very interesting and informative.
Clone Script| Airbnb Clone|

London Escort Agency said...

Your Escort Agency offers exclusive and most beautiful London escort girls of various nationalities.
London Escort Agency

marven said...

Thanks for share this excellent information with us i’ll never forget this type of information and tells others about it! Thanks once again. satellite internet .

marven said...

I just stumbled upon your informative blog and wanted to say that I have really enjoyed reading your very well written blog posts.wireless hotspot .

HTS_Blog said...

what a great post.. helped me alot to unlock my macbook

thanks Tattoo Supply

Escort said...

Really great work. Thanks a lot for sharing this information with us. London Escorts 24/7
Busty London escort 24/7 with beautiful london escorts at PalaceVIP. We are the leading escorts London agency, providing world class booking services. Call:0750 8580 736. London Escorts 24/7

Post a Comment

 
©2009 Paul Makowski | Template by TNB