The virtues of strong enduser device controls

Firmware Password Utility alert window: Password protection is off. Turn on a firmware password to prevent this computer from starting up from a different hard disk, CD, or DVD without the password.

Strong end-user privacy and security controls, such as device encryption and firmware passwords, not only protect personal information from unwanted access – they can also make it easier to recover lost or stolen devices as well.

Last month, I had the misfortune of having a personal laptop stolen.

Fortunately for me, while I was a bit bummed about losing my two-year-old laptop, I backup regularly and always enable disk encryption which is an important step to protect the information stored on the hard-disk from unwanted access by criminals, employers, or other actors (with the exception of very sophisticated adversaries).

In addition to disk encryption, I had also set a firmware password, which is an end-user control that essentially prevents the machine from being booted up or reset without knowing the password.  Essentially, whereas disk encryption protects information stored on the device, firmware passwords protect the actual hardware. 

Firmware (or hardware) passwords aren’t just an Apple thing.  Many laptops and mobile devices allow users to set passwords that prevent the device from being used (or reset) without it. For example, most PCs allow users to set BIOS passwords which prevent modification of PC settings (including settings that allow users to reset/reinstall the operating system). Some states have even begun requiring anti-theft features in smartphones to prevent their use after theft and Congress is also considering similar laws. Overall, these measures have been reported to cause a reduction in smartphone thefts.

Fast forward to a few weeks later, when I received an email to my personal account notifying me of an upcoming Apple Genius Bar visit. I was initially confused by the email but soon realized that it's probably the thief (or the undiscerning buyer) of my laptop trying to take it into Apple for repair – likely because they’re unable to use it without knowing the firmware password I set. 

I immediately began calling local law enforcement and the nearby Apple stores notifying them of the theft and this development.  After a few phone calls and the help of a fantastic Sergeant in the Local Crimes Unit of the Sacramento Police department, I was able to coordinate an agreement whereby Apple would notify law enforcement if the new user brought the machine in for repair.  After an initial disappointment on account of the suspect skipping his Genius Bar reservation, a representative from Apple Customer Relations notified me that the device was brought into another store and they were coordinating with Sacramento Police Department to return it to me. I’m unclear as to whether they were able to track down the original thief.

In the end, strong end-user controls like device encryption and firmware passwords not only protect sensitive info stored on the device, they also prevent criminals from utilizing stolen property. The more devices feature strong end-user controls, the less likely thieves can profit from their theft on the open market.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

Just wondering - did you get your laptop back?

Yep! Received it a few days after this posting

There should be a market for stickers that say, loud and clear, "This laptop is password-locked, and its disk is encrypted". I don't want someone to find that out after they've stolen my laptop... I want them to be discouraged from stealing it in the first place.

Dear Mr Soltani:

My condolences, being a fellow victim to a similar episode, where the thief ultimately took my stolen iPhone to exchange it at the Apple Store.

I am impressed that Apple was willing to return your laptop. Despite law enforcement requests, Apple was unwilling to return my phone. Apple claimed they were unable to track stolen devices by serial number and that they provided "service by warranty."

In the end, corporate policy allowed the thief to get a new phone from exchanging my stolen phone. Apple told me they dismantled my phone the same day this exchange happened and that it won't be possible to return it. :-(

I hope that Apple returned your laptop to you safely.

This information is very helpful to me as all my devices were hacked into by the Scammer.

Pages

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.