How to prevent storing the WiFi password on the recovery partition?

macos security filevault recovery-hd

Solution 1:

I've always wondered the same thing: how to keep OS X from storing the WPA passphrase (or PSK) in NVRAM.

Using 'nvram' I could never find the variable that I thought held these credentials. Today, I tried booting to a USB live image of Linux and running Chipsec. Its command to list EFI variables has many more results than I was getting by running nvram within OS X. Among the variables in my MacBook Pro (mid-2010) were:

  • current-network
  • preferred-networks
  • security-password

The current-network variable's data includes the SSID of my home router, in plaintext. Then it is padded with 0-bytes up until the end, which is 32 bytes, and represents the 64 hex digits of the Pre-Shared Key (PSK).

The preferred-networks variable looks like the same contents as current-network.

The security-password variable holds exactly the same number of bytes as the EFI password I set, so I assume this is the Firmware Lock password. I suspect it uses some kind of masking/encoding. One theory I had is that these passwords are stored as keyboard scan codes or something, but I don't have enough info yet.

Perhaps using Chipsec or another EFI tool, you can zero out these EFI variables and set an access control / permissions flag on them so that they cannot be rewritten. Perhaps even just zeroing them out will be a workaround for you (if you just need to resell the laptop or something). It's unknown to me whether OS X rewrites them regularly or just when you change your WPA credentials.

EDIT: I just learned of a command for retrieving wifi passwords from NVRAM: /usr/libexec/airportd readNVRAM

Also, by attaching the GUID, nvram can actually read these values:

  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network
  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks
  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count

So, maybe you can blow those variables away and see how it goes.

EDIT 2: as mentioned by an earlier comment, the method to delete an EFI variable is as follows (sudo required to delete): sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network

It's unclear as of yet whether the variable will return.

Related

Switch between windows (not applications) in both directions
How to identify extensions blocked by Gatekeeper
Is there a way to see current CPU frequency in macOS from terminal (not Intel power gadget)
How to find the IMEI and serial number of an iPhone before selling it?
App blocking access if I don't allow tracking
What's the little plastic clip on the headset good for?
How do I upgrade git on Mac OS X?
Using FaceTime without the video
How do I remove the iCloud-first behavior in Mountain Lion?
Install 2 different OS X versions on the same machine/hdd
How do I copy files between OS X and Android 6 over USB cable?
This copy of the Install OS X Yosemite application can’t be verified. It may have been corrupted or tampered with during downloading