Yeah, TPM, and similar secure enclaves have basically removed any realistic possibility of that.
3 Likes
My thoughts exactly. Surely a new HDD and a fresh os on it means it is un-bricked, even if you have lost the data on it (which should be backed up anyway)?
ETA: I see. A whole new motherboard, eh? Wow o_0
They definitely can override it, I’ve jumped through the hoops for a couple of apple devices locked in that manner, luckily we had all the things they wanted as proof.
2 Likes
You can use the Find My apps on other devices attached to the same account (or maybe just the web portal, not sure) to unlock the device. Not sure exactly right now, without digging into it too much. I know you can mark it as Lost, at least, and track the location. Set a personal message on the device’s screen to contact you, along with a phone number or email address or something.
2 Likes
Contemporary (anything Intel with a T1 or 2; and anything ARM) macs are locked up pretty much like their phones. Data is encrypted with keying material bound to the device; and activation lock/‘find my’ is deliberately not wipeable, in line with it being an anti-theft feature.
Significantly different than the prevailing PC security model; where the TPM will freak out and refuse to unseal its secrets; but can be generally be reset if you are OK with losing those(TPM 1.2 had some features that gestured in the direction of authentication for privileged operation; but that was never very popular and TPM 2 moved away from it).
You may find that UEFI settings are stubbornly password protected, if someone deliberately goes in and sets one; but that’s not a thing that happens as part of the user sign-in process; you really have to go out of your way.
3 Likes
Newer laptops have BIOS encryption now that cannot be flashed without physically removing the chip and soldering on a new one (or replacing the motherboard as others have already pointed out).
The days of resetting a jumper are over.
2 Likes
This is precisely why I try to ensure that anything important in my life is backed up in multiple places. Originally, I did that because of threats like fire, theft, and whatnot, but nowadays I feel like the most likely thing to separate me from my data is a tech company doing it deliberately as part of its business model.
2 Likes
This is also why I fight so hard against blind Cloud-First( read as only to boot lickers) at my IT work.
1 Like
Great answer. Thank you!
The drive is just a chip on the logic board. It can’t be removed or replaced. The problem here is the proprietary T2 security chip. When it gets locked your device is basically a brick without Apple’s special diagnostic tools.
It’s a blessing and curse. If your machine is stolen, it’s useless to the person who stole it and your data is safe. But in a case where you’re the owner of the machine and you’re locked out of it, it’s a big problem.
However in this case there’s some blame on the user — they didn’t enable an important security feature that would have prevented much of this. It’s also possible that the person who got their laptop originally had a stolen one and swapped the stolen logic board with the “clean” one from the user’s machine and that’s why they can’t unlock it now.
When Find My is enabled, the user’s Apple ID is baked into the Secure Enclave on the device. Unlocking the device requires authenticating against this ID. You’re prevented from doing things like decrypting the drive, reinstalling the device, or other things without an authentication happening. It’s a great deterrent against stealing one of these devices since it becomes largely worthless to a thief for anything other than spare parts.
2 Likes
Or Cover the laptop in freaking stickers so you can tell it’s yours.
Some defense contractor (Interesting Engineering sez) made a fighter jet (unmanned) prototype with no moving control surfaces and I thought that was the most Apple thing…
Well, of course you can probe it to break the system private keys free, then solder fresh chips on! S’probably not your first turn with a heat gun if you’re willing. Then install netbsd or Openbsd or BeOS or something.
2 Likes
Thank you for the info. I was curious how it worked, and I’ve gotten some good info. Thank you.
The lesson is simple dont buy apple, I have worked in i.t for over 20 years and have never had a good experience with them.
1 Like
This topic was automatically closed after 5 days. New replies are no longer allowed.
