Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

March 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb    

Archives

  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Security

Configuring the Touch Bar for System Lockdown

On January 17, 2017 by Jonathan Zdziarski

The new Touch Bar is often marketed as a gimmick, but one powerful capability it has is to function as a lockdown mechanism for your machine in the event of a physical breach. By changing a few power management settings and customizing the Touch Bar, you can add a button that will instantly lock the machine’s screen and then begin a countdown (that’s configurable, e.g. 5 minutes) to lock down the entire system, which will disable the fingerprint reader, remove power to the RAM, and discard your FileVault keys, effectively locking the encryption, protecting you from cold boot attacks, and prevent the system from being unlocked by a fingerprint.

One of the reasons you may want to do this is to allow the system to remain live while you step away, answer the door, or run to the bathroom, but in the event that you don’t come back within a few minutes, lock things down. It can be ideal for the office, hotels, or anywhere you feel that you feel your system may become physically compromised. This technique offers the convenience of being able to unlock the system with your fingerprint if you come back quickly, but the safety of having the system secure itself if you don’t.

To configure this, we’ll first add a sleep button to the Touch Bar, then look to command-line power management settings to customize its behavior.

Adding a sleep button to the Touch Bar is pretty straight forward. Launch System Preferences, then click on Keyboard. At the bottom of the window is a button labeled Customize Control Strip.

 

To add a sleep button to the Touch Bar, choose which of the four existing buttons you can live without. Most people choose the Siri button, because it’s accessible from both the dock and the menubar as well. Drag the icon labeled Sleep from the window onto the Siri button on the Touch Bar, and the button will turn into a sleep button. If you would also like a screen lock that does not perform any lockdown function while on AC power, you can also drag the Screen Lock button onto the Touch Bar, and use that for when you don’t want lock down (it may still lock down on battery, as the system will sleep whenever it’s on battery). Once you’re finished customizing the Touch Bar, click Done.

OK! So we’ve got a sleep button on the Touch Bar – this is our future lockdown button; it can be triggered a lot faster than holding in the power button, and even better, will be able to lock down the system without losing all your work.

By default, however, putting the machine to sleep on its own doesn’t really lock anything down, and you can still unlock it with your fingerprint when it wakes, so next we’re going to need to change the system’s sleep behavior. There are a number of hidden knobs that can be set on the command-line to change how power management behaves on sleep.

We need to set a few different options. First, we need the system to go from sleep mode into a hibernation mode after a preset period of time. In our example, we’ll use 300 seconds (five minutes). Hibernate mode is a deeper sleep, where the system commits its memory contents to disk and shuts down the processor. Until the system is in hibernate mode, you’ll be able to unlock the device with your fingerprint, which we don’t want. From a terminal window, run the following commands to adjust the various sleep and hibernate timers:

sudo pmset -a standbydelay 300
sudo pmset -a standby 1
sudo pmset -a networkoversleep 0
sudo pmset -a sleep 0
sudo pmset -a autopoweroffdelay 300
sudo pmset -a autopoweroff 1
sudo pmset -a womp 0

Also setting womp to 0 keeps network from keeping the system awake.

Next, there is a parameter named hibernatemode that is a bit of a misnomer; it more or less determines how sleep behaves, rather than how hibernate behaves. Changing this alters the behavior of sleep mode in a wonderful way if you want the computer to almost instantly enter hibernate mode (< 60 seconds).. When set to the value 25, this parameter will cause macOS to remove power to the RAM to go into a “safe sleep” mode instead of regular sleep mode, which thwarts future cold boot attacks against the system.

sudo pmset -a hibernatemode 25

Only do this if you want to enter hibernation in around 60 seconds, instead of 5 or 10 minutes. If you want the longer grace period, use the default value of 3.

sudo pmset -a hibernatemode 3

The default does not remove power to the RAM during sleep, but will still cut power to it for hibernate mode, which is what you’ll want if you need a five or ten minute grace period. During the grace period, your system will still be getting juice to the RAM (so that you can unlock with your fingerprint, and quickly restore state), so it’ll be susceptible to a cold boot attack until it hits hibernate later on. A firmware password can help mitigate this concern.

Lastly, a hidden setting named DestroyFVKeyOnStandby can be set that will cause hibernate mode to destroy the File Vault keys from memory (or stored memory), effectively locking the encryption of the system.

sudo pmset -a DestroyFVKeyOnStandby 1

With all of these put into place, you can now put your system on a timed lockdown. Here’s how it works:

  1. The user presses the sleep button on the Touch Bar
  2. The screen immediately locks, the system goes to sleep and a five minute timer starts
  3. If the user unlocks the machine within the five minute period, all services are restored and they can use their fingerprint to authenticate
  4. Once the timer expires, the system transitions from sleep mode to hibernate mode
  5. Upon entering hibernate mode, power is removed from the RAM and the File Vault keys are destroyed in memory
  6. When the user wakes the machine, they will be prompted for their password in order to unlock File Vault
  7. Once the user has authenticated with a password, they will be prompted a second time to authenticate with their fingerprint (or password); this is the restored state from when the system was first locked

This type of setup works well in the workplace, where you may walk away from your machine often, or while in public or any other venue where you may temporarily leave your system for a short period, but are concerned about physical security. If you are a political dissident or someone else who may be targeted, using this system provides a convenient way to manage your system to keep the fingerprint reader useful, but also lock down if an unexpected event occurs and your devices are physically compromised.

You can restore all power management defaults in System Preferences if you decide to back out of this configuration, and of course depending on your level of paranoia, you may wish to adjust the hibernate timer to one minute or ten, to your liking.

If you don’t have a Touch Bar, no sweat. You can configure sleep using hot corners or a hotkey. It’s not quite as easily accessible in an emergency, but does the job. This also works by simply closing the lid.

Archives

  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

March 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2022 by Jonathan Zdziarski, All Rights Reserved