PSA: Find My Mac Has a Serious Security Vulnerability

Find My Mac has a security flaw

If you have Find My Mac enabled and are counting on it to help you locate a stolen Mac computer, you should read this public service announcement. It turns out there’s a pretty big security vulnerability inherent in Find My Mac that could allow some nefarious individual to disable the feature without any problems.

Find My Mac has a security flaw
If you ever leave your Macbook lying about and count on Find My Mac to protect you, here’s some information you need to know (Image Credit: Pexels)

What Is Find My Mac?

If you aren’t familiar with this feature, Find My Mac is exactly like Find My iPhone. It is an iCloud-based service that allows you to find out where a lost Mac is. You can also use the service to lock the computer or remotely erase it. Enabling the feature is easy as pie; all you have to do is go to System Preferences > iCloud, and select the Find My Mac checkbox.

Once enabled, you can find your missing Mac from the iCloud web site. Just click Find My iPhone there, and select your missing Mac from the top menu. You can also have your computer play a sound, in case you’ve just misplaced it somewhere. Obviously, your Mac needs to be powered on and connected to a Wi-Fi network in order to do any of that.

So What’s the Problem?

The security hack here lies in a very common troubleshooting step for misbehaving Mac computers. If you reset the Non-Volatile Random Access Memory (NVRAM) or Parameter Random Access Memory (PRAM) on your computer, it also disables Find My Mac. All of the data for Find My Mac is stored in your NVRAM or PRAM, so resetting either of those wipes the information needed to locate your computer.

Want to test it for yourself? Just reboot your Mac and hold down Command-Option-P-R until you hear the startup chime twice. Then log into Find My iPhone on iCloud and look for your Mac.

How Can I Prevent This From Happening to Me?

There is a way to prevent someone from resetting the NVRAM a newer Mac. What you need to do is set a firmware password to protect the data there. If you set a firmware password, it will be needed to reset the NVRAM on that computer. When you use Find My Mac to lock your computer, it sets a temporary firmware password.

Setting the Firmware Password

Bear in mind, you’ll need to remember this password–if you forget it, a trip to the Apple Store or an Apple Authorized Service Provider will be required to regain access to the firmware. You’ll need an original receipt or invoice to prove the Mac is, indeed, yours. You can set firmware passwords on these Macs, according to Apple:

  • These models of MacBook:
    • Air (Late 2010 and later)
    • Pro (Early 2011 and later)
    • Pro with Retina display (all models)
    • Retina, 12-inch (Early 2015)
  • iMac (Mid 2011 and later)
  • Mac mini (Mid 2011 and later)
  • Mac Pro (Late 2013)

With that disclaimer out of the way, here’s how to set a firmware password and protect your device even further.

  1. Shut down your Mac.
  2. Start up your Mac again and immediately hold the Command and R keys after you hear the startup sound to start from OS X Recovery.
  3. When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
  4. In the Firmware Utility window that appears, click Turn On Firmware Password.
  5. Enter a new password, then enter the same password in the Verify field.
  6. Click Set Password.
  7. Next, click Quit Firmware Utility to close the Firmware Password Utility.
  8. Finally, click the Apple menu and choose Restart or Shutdown. The next time your Mac starts up, your firmware password is active.

Another thing to note. Once you have a firmware password set, you’ll also need it to boot from another drive, from macOS Recovery, or when your Mac has paused startup and displayed a lock icon with a password field instead.

5 thoughts on “PSA: Find My Mac Has a Serious Security Vulnerability

  • I also read this title as suggesting that your computer is at risk if you use Find My Mac, which is not the case. How about “Additional Steps Required to Ensure Find My Mac Will Do Just That” or “How to Enable Firmware Password to Guarantee Find My Mac”?

    The How To title always gets clicked by people and this article is really about guaranteeing you can use Find My Mac. It’s not an article about Find My Mac being insecure.

  • @Jeff Buts – thanks for taking time to respond.

    But, I’d be lying if I found your reply in any way persuasive.

    Simply put, I don’t think readers should be left feeling they’ve been tricked – that’s what the gutter press are for! Your headline left me feeling like I’d been had, and I’m not used to TMO leaving me with that uncomfortable feeling. I hope this is the exception that proves the rule, and not the start of a descent in sensationalistic nonsense.

    1. Bart, let me just say that I apologize if my headline left you feeling tricked. In no way did I intend for that headline to fool anybody, or be “clickbait.” As previously stated, in my mind, a problem with the physical security of a device is just as synonymous with the phrase “security vulnerability” as a software exploit or hack is.

  • Hi all!

    Several folks have taken me to task for classifying this as a “security vulnerability.” Here’s my position as a former security consultant:

    Physical security of your device is just as important as data security. This vulnerability puts the physical security of your Mac in serious question. Therefore, I, along with several of my colleagues here at TMO, consider this to be a security vulnerability.

    I hope that clears things up!

    –Jeff

  • I mean this as constructive criticism of a site I love run by great people with a great track record.

    That said, I am honstly very disappointed by the innacurate and click-baity headline you chose to slap at the top of this otherwise great story.

    “Security Vulnerability” implies Find My Mac can be used to hack your computer.

    An honest headline would have read something like:

    “Find my Mac has a dangerous weakness – here’s how you protect yourself”

    I guess the click-bait worked, because you sure got my attention, but the experience of being tricked like this has dented my trust in TMO. You guys are usually better than this 🙁

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.