macOS-Security-and-Privacy-Guide icon indicating copy to clipboard operation
macOS-Security-and-Privacy-Guide copied to clipboard

Published 20 hours ago verified publisher icon drduh

"Firmware" part is outdated / Intel-based Mac only

Open beerisgood opened this issue 1 year ago • 7 comments

the whole part needs a rewrite as Apple Silicon ARM Macs only need FileVault.

This feature requires a Mac with an Intel processor. For the equivalent level of security on a Mac with Apple silicon, simply turn on FileVault. If the Mac is managed by MDM (mobile device management), MDM administrators can also remotely lock the Mac.

https://support.apple.com/en-us/HT204455

beerisgood avatar Aug 21 '22 21:08 beerisgood

Indeed, the section needs an overhaul as Apple has seriously buffed capabilities here in the last several years.

drduh avatar Dec 26 '22 18:12 drduh

the whole part needs a rewrite as Apple Silicon ARM Macs only need FileVault.

This feature requires a Mac with an Intel processor. For the equivalent level of security on a Mac with Apple silicon, simply turn on FileVault. If the Mac is managed by MDM (mobile device management), MDM administrators can also remotely lock the Mac.

https://support.apple.com/en-us/HT204455

It is possible to put a MacBook Pro with Apple Silicon into DFU mode without requiring a password, according to my understanding. This could potentially allow a hacker with physical access to the device to load malware firmware or wipe the device. In the past, firmware passwords were used on Intel-based Macs to prevent this type of attack. However, it is unclear what measures are currently in place to prevent such an attack on Apple Silicon Macs.

One way an attacker could exploit this vulnerability is by modifying the firmware to insert malicious code and then signing it with a fake Apple signature. The attacker could then put the MacBook Pro into DFU mode and load the malicious firmware onto the device. It is not clear why there are no safeguards in place to prevent this type of attack on Apple Silicon Macs.

gh0st-1 avatar Jan 14 '23 10:01 gh0st-1

See https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/420

beerisgood avatar Jan 14 '23 12:01 beerisgood

@beerisgood

Enabling FileVault is enough for Apple Silicon chips.

This is inaccurate because it is only true when Startup Security is set to Full Security. This should be included.

life00 avatar Aug 06 '23 16:08 life00

@beerisgood

Enabling FileVault is enough for Apple Silicon chips.

This is inaccurate because it is only true when Startup Security is set to Full Security. This should be included.

Macs with Apple Silicon chips use "full Security" by default. Read https://support.apple.com/guide/mac-help/mchl768f7291/mac

beerisgood avatar Aug 06 '23 18:08 beerisgood

You are right. But it is annoying that it is not mentioned anywhere. Probably it is unrelated to this project as it is assumed that no security features will be disabled. In such case never mind.

I am just one of those folks running Asahi Linux. I have noticed this issue recently and unfortunately there is no way to achieve similar level of physical security when running other operating systems on these platforms.

life00 avatar Aug 07 '23 08:08 life00

I'd be happy to give it a look after my other PR is merged. I'd very much like to remove anything about EOL versions of macOS at the very least.

kimg45 avatar Dec 12 '23 20:12 kimg45