2021 Forward:

Back in 2018, I encountered what I’d consider the cardinal sin of opsec by an Apple store employee. He asked me to disable my Mac’s password before I turned it in for a multi-day off-site repair. The casual manner in which he asked me led me to assume this was not the first time he had pushed this question, and that it was a common practice at this store (Barton Creek Mall in south Austin, for those who care).

Apple customers already place a great deal of trust in repair technicians who have the user’s password, but disabling it for logging in means everyone who handles or has physical access to the device could trivially steal data from it or install malware on it. A Mac going offsite gets handled by several intermediaries, not just the technicians.

A recent report (where Apple paid millions to settle a woman’s claims that, after sending her iPhone to Apple for repair, technicians uploaded her nude photos to her Facebook account) highlights the risks associated with sending your device to Apple for repair. (Discussion here.) The report and my personal experience also highlight a disingenuous aspect of its fight against the consumer’s right to repair devices. (The company claims that, without exclusively using its repair services your security as a customer would be compromised.) 

Their lax approach to opsec in the rank and file, which I personally witnessed, was simply disturbing to me.

ORIGINAL STORY:

Tl;dr: While dropping off my Mac for repair, I was asked by an Apple store employee to turn off (yes, as in disable) my Mac’s admin password. 😲 After I refused to disable the password, they then asked me what my admin password was (which they inputed into customer service software). That second option is still unsettling but goodness gracious. They literally asked me to disable my admin password altogether (I guess because the staff just see that as more convenient(?)). If it happened to me, then it’s likely happening to many other Apple customers.

Millions of people walk through Apple Stores, and I think Geniuses asking people to turn off their Mac admin password is a completely unnecessary degradation of customers’ security.

— Full breakdown of what happened:

About two weeks ago, I found out about an Apple screen recall program that covered my (otherwise out-of-warranty) MacBook Pro.

I was ecstatic! I’d previously looked into paying out of pocket for a screen replacement, and the total would have been $$$ and out of my price range, but this would be free! I made a Genius Bar appointment immediately and headed straight to the closest Apple Store.

Apple visit #1:

After a quick inspection my Genius rep said my MacBook Pro was covered under the program. Then he proceeded to ask some questions: Had I backed up my computer? and, most notably for this story, he asked:

Genius: Do you have FileVault turned on?

FileVault is a disk encryption program in Mac OS X 10.3 and later. It performs on-the-fly encryption with volumes on Mac computers.

Yes, I said. It was reassuring to me that he even asked this question. I told him I’d need to wait until the following week to turn over the Mac because it was needed for work.

He said I could drop it off any day before Tuesday, and then it would be shipped to a repair facility in Houston. The turn-around time would be a few days.  … Great!

Apple visit #2

Fast forward to Tuesday…

Off from work and with a few other errands to make that evening, I called the Apple Store and asked when the repair pickup from the store would be made (where the devices are taken off to the repair center), so my device could be checked in before the next outgoing batch. The rep said that the delivery people hadn’t made their pickup yet, but they would probably be by very soon. I prioritized making it straight over there.

After checking my photo ID and looking at my computer’s lock screen, the first thing the Genius asks me is:

Could you disable the computer’s administrator password?

Me: Huh? What do you mean?

Genius: Could you turn off the password on the device?

Me: Are there other options?

Genius: Well, if they need to access your computer and the password is enabled, they’ll re-image your hard drive and reinstall the OS. Did you make a backup?

…

Turning off your computer’s password (disabling the lock screen) before handing it over is a nutso proposition:, you are essentially giving any handler of that device full access to its data. Bad things have happened to unattended devices in the repair industry, computer access should be as limited as possible.

Flustered, and not excited about the prospects of having to restore my computer’s state from a single spinning external drive, I slowly made my way to System Preferences > Users (like so). I stalled as some questions raced through my head:

–   Why had the Genius from my last visit asked if I used FileVault, if I was now being asked to remove my password?

–   Wasn’t Apple all about privacy? This didn’t seem in line with that.

–   Was this even necessary for a screen replacement? Could this not be handled by some BIOS interface that didn’t need an admin password?

[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for].

–   Why had the Genius on my last visit not notified me about this “needing to unlock the computer” thing? My preparations for the visit would have been entirely different, instead he asked about disk encryption…

The Genius seemed as rushed as I was (still trying to get my computer in the store’s outbox before the delivery people showed up).

Then, this happened:

Genius: What’s your administrator password?

I was shocked.

Why had he not started with this question?

Many normal customers would have, by this point in the story, already disabled their Mac’s administrator password.

Giving Apple your password (while still a reason for concern), where it’s stored in their customer-management platform, is a MUCH BETTER OPTION THAN REMOVING IT — and should completely NEGATE the “need” to disable the computer’s password under all circumstances.

See, if you remove your Mac’s password, anyone that handles your machine can do whatever they want with it. Including the delivery people, anyone in the room with the device at the Apple Store, unrelated or miscellaneous workers at the repair center, etc.. And when they mess with the device, there would be no trail of them having done so. That’s very scary.

However, if you give a Genius the password, only a handful of people who have access to Apple’s backend can have their way with your machine, and there will (presumably) be a log of them accessing your password. This is also somewhat scary but a bit more reasonable.

And again, the reason this is a big deal is because many normal customers would have, at this point in the story, already disabled their Mac’s admin password.  This is not OK, because it represents a completely unnecessary degradation of customers’ security.

My guess is that Apple’s retail operation has seen that asking for a customer’s password is met with more resistance than asking to merely disable it. But that doesn’t matter, turning it off outright is clearly the worse option.

There’s a history of bad things happening to unprotected/unattended devices in the repair industry, see https://www.techmeme.com/search/query?q=geek+squad&wm=false. This is a point in a computer’s lifecycle, more so than any other perhaps, where device security and auditable handling is necessary.

—

Stressed and still wanting to turn my computer over before the pickup, I gave the Genius my password and then furiously began logging out of apps, like OneNote, Chrome, etc.. I thought about unlinking Dropbox, but what was the point — the data would have still been there. Resigned, I gave it the Genius.

When I got the device back several days later, I couldn’t have been happier from a hardware perspective — the MBPro looked brand new.

But I was dismayed (though not surprised) to learn that, despite logging out of Chrome, the browser did not clear its “Managed Passwords” from its on device storage.  Whatever, it didn’t really matter anyway, if an Apple repair tech wanted to be nefarious with my password, it was hopeless anyway as the Keychain Access would have been his/her’s too.

I guess the main takeaways from the experience are the following:

Geniuses and Apple Support Advisors should should stop telling people to altogether disable administrator passwords, and should know if the admin password is truly necessary for a given repair.

[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for, which makes #3 even more pressing. Don’t ask your customers to downgrade security unnecessarily].

Further reflections:

When I called before my 2nd visit to the Apple Store, the rep volunteered (unsolicited) the name of the firm that was to take the devices from the store to the repair center. That implies the devices were not in Apple’s custody the entire time, another reason disabling password is a ridiculous ask.