If you have Find My Mac enabled and are counting on it to help you locate a stolen Mac computer, you should read this public service announcement. It turns out there’s a pretty big security vulnerability inherent in Find My Mac that could allow some nefarious individual to disable the feature without any problems.
What Is Find My Mac?
If you aren’t familiar with this feature, Find My Mac is exactly like Find My iPhone. It is an iCloud-based service that allows you to find out where a lost Mac is. You can also use the service to lock the computer or remotely erase it. Enabling the feature is easy as pie; all you have to do is go to System Preferences > iCloud, and select the Find My Mac checkbox.
Once enabled, you can find your missing Mac from the iCloud web site. Just click Find My iPhone there, and select your missing Mac from the top menu. You can also have your computer play a sound, in case you’ve just misplaced it somewhere. Obviously, your Mac needs to be powered on and connected to a Wi-Fi network in order to do any of that.
So What’s the Problem?
The security hack here lies in a very common troubleshooting step for misbehaving Mac computers. If you reset the Non-Volatile Random Access Memory (NVRAM) or Parameter Random Access Memory (PRAM) on your computer, it also disables Find My Mac. All of the data for Find My Mac is stored in your NVRAM or PRAM, so resetting either of those wipes the information needed to locate your computer.
Want to test it for yourself? Just reboot your Mac and hold down Command-Option-P-R until you hear the startup chime twice. Then log into Find My iPhone on iCloud and look for your Mac.
How Can I Prevent This From Happening to Me?
There is a way to prevent someone from resetting the NVRAM a newer Mac. What you need to do is set a firmware password to protect the data there. If you set a firmware password, it will be needed to reset the NVRAM on that computer. When you use Find My Mac to lock your computer, it sets a temporary firmware password.
Setting the Firmware Password
Bear in mind, you’ll need to remember this password–if you forget it, a trip to the Apple Store or an Apple Authorized Service Provider will be required to regain access to the firmware. You’ll need an original receipt or invoice to prove the Mac is, indeed, yours. You can set firmware passwords on these Macs, according to Apple:
- These models of MacBook:
- Air (Late 2010 and later)
- Pro (Early 2011 and later)
- Pro with Retina display (all models)
- Retina, 12-inch (Early 2015)
- iMac (Mid 2011 and later)
- Mac mini (Mid 2011 and later)
- Mac Pro (Late 2013)
With that disclaimer out of the way, here’s how to set a firmware password and protect your device even further.
- Shut down your Mac.
- Start up your Mac again and immediately hold the Command and R keys after you hear the startup sound to start from OS X Recovery.
- When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
- In the Firmware Utility window that appears, click Turn On Firmware Password.
- Enter a new password, then enter the same password in the Verify field.
- Click Set Password.
- Next, click Quit Firmware Utility to close the Firmware Password Utility.
- Finally, click the Apple menu and choose Restart or Shutdown. The next time your Mac starts up, your firmware password is active.
Another thing to note. Once you have a firmware password set, you’ll also need it to boot from another drive, from macOS Recovery, or when your Mac has paused startup and displayed a lock icon with a password field instead.