After Mr. Honan indicated that his data, which was unfortunately not backed up, was likely lost for good, it got us wondering about what exactly happens when a remote wipe is triggered via iCloud. How does the process work? Does it wipe all drives connected to the Mac or just the system drive? Is the data recoverable?
We set out to answer these questions by wiping one of our own Macs. Here’s the story:
Our victim for this test is a 2011 15-inch MacBook Pro on OS X 10.8 with two internal drives (we used an Other World Computing Data Doubler to replace the optical drive with a second hard drive) — a 240 GB OWC Mercury 6G SSD as the main system drive, and a 1 TB Western Digital Scorpio Blue WD10JPVT HDD for data storage — and a 2 TB LaCie P’9230 external Time Machine drive connected via USB. Curious about whether Find My Mac would wipe the entire drive or just the user account, we added a second account to the Mac, with both set as administrators.
Our first step was to turn on Find My Mac. This is done by heading to System Preferences > iCloud
and checking the “Find My Mac” box. Doing so prompted OS X to inform us that Find My Mac can only be activated on one user account per machine. We set it to the primary user account (not the one we created for this test) and then closed System Preferences.
On another Mac, we opened our Web browser and logged into iCloud’s Web interface using the iCloud account of the primary system account on the Mac. Once logged in, we entered the “Find My iPhone” section and waited for it to locate our victim MacBook Pro.
Remote Lock
There are two options for iCloud users who fear their Mac may be stolen: lock and wipe. Curious, we tried out the lock first. Click on the Mac you wish to wipe or lock and then, once it’s located on the map, click the blue circle with the “i” character. This displays your options for locking, wiping, or playing a message or sound on your device.
Choose “Remote Lock” and iCloud will ask you for a four digit numeric passcode in order to unlock the Mac should you eventually recover it. Proceeding with the lock will cause the target Mac to reboot within about ten seconds of sending the command.
Instead of taking the user to the OS X desktop or login screen, when the Mac reboots it presents a grey screen requesting the correct unlock passcode. Successive failed attempts at entering the correct code will cause the system to prevent further attempts for increasing amounts of time.
The passcode screen which appears when the Mac is both in “Lock” and “Wipe” states.
We then attempted to access the data on the drives. While in a locked state, a user can reboot the Mac, but boot modifier keys such as Alt/Option to select a different drive and “T” to put the Mac into target disk mode, don’t work. Only the “R” key, which takes the user to Lion or Mountain Lion’s recovery partition is functional.
To see how far we could go, we then pulled the system drive and connected it to another Mac with a SATA to USB adapter. The drive mounted and we were able to see the data on the system drive, and copy it to another drive if necessary. The iCloud “lock” feature, therefore, is not secure if the individual in possession of your Mac has the skills or time to physically pull the hard drive.
Our questions about the remote lock answered, we put the hard drive back, booted, and entered the correct passcode. The Mac processed for a moment and then rebooted. Thankfully, it booted back into our user’s desktop and all the data was intact.
Remote Wipe
Now it was time to pull out the big gun and wipe the system. After logging back in to iCloud on another Mac, we sent the wipe command. This time it also asked us to set a passcode, and informed us that a wipe “may take up to a day to complete.”
The final confirmation for sending a Remote Wipe command.
Just as with the lock scenario, within about ten seconds of issuing the command, the target MacBook Pro shut down and then rebooted to the same grey screen requesting the passcode. Not wanting to interrupt the wipe process, we let the Mac sit overnight in this state.
The next morning, we found the Mac still at the passcode screen. Concerned that this process was taking too long to be effective, we decided to try and abort it by entering the correct passcode so that we could investigate the state of our data. We entered the correct passcode and, as it did when we entered the passcode in the “lock” scenario, the computer began to process…and process…and process. We watched the MacBook Pro show us the spinning beach ball for almost three hours before we gave up and performed a hard reboot of the system.
Upon rebooting, we were not greeted with the passcode screen or our user’s login screen. Instead the system booted us directly into the OS X Recovery Partition. We accessed Disk Utility and saw that the two internal drives were not mounting, but the external Time Machine drive seemed to have its data intact.
To verify the integrity of the Time Machine drive, we disconnected it from the MacBook Pro and connected it to another working Mac. The drive mounted quickly and all the data was intact on the drive, ready to restore the MacBook Pro once we reached that step.
Returning our attention to the MacBook Pro’s internal drives, we rebooted while holding down the Alt/Option key to access the boot manager: no dice. The only available partition was the recovery partition and our internal system drive didn’t show up at all. At least now we could now access boot modifier keys, which was something we couldn’t do in the “lock” scenario or when the machine was in the “wipe” phase.
As a final test, we placed the MacBook Pro into target disk mode and connected it via Thunderbolt to another Mac. The other Mac instantly informed us that the drives in the MacBook Pro were not mounted and needed to be initialized, which we didn’t do to aid possible data recovery efforts. Initialization, usually only done before using new hard drives, wipes any remaining info from the drive’s “table of contents” and prepares the drive for new use. Initializing a drive won’t make data recovery impossible, but it certainly doesn’t help.
So it seems that Apple’s remote wipe process has created a disk that, by itself, cannot be read by either the original or another computer. Success! (or failure, depending on your perspective).
Data Recovery
Now that we knew Apple’s wipe process actually worked, at least for internal drives, it was time to try data recovery. Using Prosoft Engineering’s well established at home data recovery software Data Rescue 3, we began efforts to recover data from the “wiped” internal drives.
Using Data Rescue’s “Deep Scan,” we attempted to find our lost files on both internal drives. Keep in mind that the “Deep Scan” looks at every sector on the drive in its search for files, something that can take many hours depending on the size and speed of the drive. In our case, a Deep Scan of the 240 GB internal SSD took about three hours while the 1 TB HDD took over 12 hours to complete.
Unfortunately, due to technologies like TRIM, which overwrites unused blocks to improve future write performance, the data on the SSD, beyond a handful of system and cache files, was not recoverable. This is important to consider now that Apple is rapidly approaching a product line that uses flash memory exclusively.
The internal mechanical hard drive was another story. After many hours of waiting, Data Rescue successfully restored and rebuilt over 380,000 files, including our music, photos, and documents. Mechanical hard drives do not experience performance loss when overwriting sectors so technologies like TRIM are unnecessary. This means that data recovery from mechanical hard drives is significantly easier, something else to consider in the event that a hacker or thief gains access to your drive.
Lessons Learned
In the end, these are the lessons we learned during our experiment:
- A remote lock state limits boot options on the Mac, but can still be circumvented by pulling the drive and mounting it on another computer.
- A remote wipe wipes all internal drives and, once complete, leaves access only to the Recovery Partition.
- A remote wipe does not wipe locally attached external drives, so if you have a Time Machine or other form of backup, your data will be safe from an accidental, or malicious, wipe. Back up your data!
- Using data recovery software, users should be able to recover most of their data from a wiped mechanical hard drive, but likely not from a solid state flash drive, especially if technologies like TRIM had been enabled prior to the wipe.
Whether the realities of Apple’s remote wipe are good or bad depends on the perspective. If you find yourself in a situation like that of Mr. Honan, data recovery is obviously the most important consideration and the fact that Apple’s wipe process allows for recovery is good news.
If you’ve just lost a company laptop full of sensitive data, on the other hand, any opportunity for the thief or hacker to recover the data is grounds for panic. We therefore recommend that users concerned about the exposure of data on their Mac use a a method of whole disk encryption, such as FileVault 2, PGP, or TrueCrypt.
Regardless, the most important factors to remember about iCloud’s Find My Mac Remote Wipe are 1) It will erase all internal drives and 2) It will not erase locally attached external backup drives. So keep backups of your data, encrypt your drive if necessary, and don’t worry too much about having your Mac remotely wiped. If you understand the process outlined here, and follow our tips on protecting yourself, your chances of being hacked will decrease and the only thing an attack will cost you is a little inconvenience.