Protect Your Data From Target Disk Mode Security Risks [OS X Tips]

Protect Your Data From Target Disk Mode Security Risks [OS X Tips]Protect Your Data From Target Disk Mode Security Risks [OS X Tips]

Apple computers have a unique boot option called Target Disk Mode which allows access to a system’s hard drives via Firewire cable in older Macs and a Thunderbolt cable in newer models. You access Target Disk Mode by pressing and holding the “T” key while the system starts and until you see either the Firewire or Thunderbolt symbol on the screen.

Once you see the symbol appear you can connect your computer to another Mac Or PC and the hard drives on the Mac in Target Disk Mode will mount on the other system with full access. Since you have full access to the startup disk your data’s security is compromised, but here are a few ways to fix that. I’ll show you how in today’s tip.

There are three primary ways to protect your data from prying eyes after your system boots into Target Disk Mode or before: encryption, a firmware password and restricting physical access to your Mac.

File Vault, File Vault 2 or Third-Party Encryption

The easiest way to protect your data from prying eyes is to use File Vault. File Vault is available on all Macs, but only Macs running Mac OS X Lion have File Vault 2 which includes full disk encryption. Macs running Mac OS X Snow Leopard’s version of File Vault only protects the user’s Home folder and there are third-party apps like Exces or PGP that you can use as encryption options on your Mac (virtual drives, full disk encryption, etc.).

Protect Your Data From Target Disk Mode Security Risks [OS X Tips]

You activate File Vault 2 via the Security & Privacy preferences panel inside of System Preferences. I’ve got a how to about using File Vault 2 on systems running Mac OS X Lion that will show you how to fully encrypt your startup disk. So why would you do this? The reason is that even in Target Disk Mode the encrypted disk isn’t accessible unless you have a password. Bonus: You can go a step further using this other how to I wrote using File Vault 2 to encrypt external drives.

Firmware Password

Simply enabling a firmware password would prevent access to your Macs startup disk because unless you know that password your Mac will not even boot into Target Disk Mode.  Mac OS X Lion’s new Recovery HD partition has the utility needed to set the firmware password. Just restart your Mac while pressing and holding the Command+R keys and your Mac will boot into the recovery partition. You’ll find the Password Utility on the Utilities menu once you see the recovery partitions menu.

A lengthy explanation about  enabling a firmware password is found in this Apple Knowledge Base document http://support.apple.com/kb/HT1352. People using Macs that don’t support the recovery partition or Macs running Mac OS X Snow Leopard should read HT1352.

It is important to note that in some cases if you loose your firmware password you may have to visit an Apple authorized service center to get it reset. So make sure that you keep a record of it.

Restrict Physical Access

Since the firmware password isn’t 100% foolproof because hardware changes can cause your Mac to bypass the firmware password. This means you might not need that service center visit after all, but it also means that firmware passwords aren’t all that great either.  Physical access restrictions are the best way to protect your Mac since if, for example, you lock a MacBook Air in a drawer not even you will be able to use it, but your data is safe from everyone including you!

Conclusion

In summary you have three options to protect your data from being accessed via Target Disk Mode listed in the order of the most effectiveness: restrict physical access to your Mac, File Vault encryption and a firmware password. The first option will be the best since no one can get to your Mac while the second is best when used in combination with the latter. The firmware password will act as a deterrent for less experienced hackers or thieves, but since it can be by-passed encryption is what saves the day in the end. If you use File Vault and a firmware password you’ll be able to access your data in the best possible way with the fewest hassles.

Related
  • WillaNatch9876

    wooow unbelievable it I just got a 827.89 iPad2 for only 103.37 and my mom got a 1499.99 HTV for only 251.92, they are both coming tomorrow bu USPS. I would be an idiot to ever pay full retail prîces at places like Walmart or Bestbuy. I sold a 37″ HTV to my boss for 600 that I only paid  78.24 for. I use http://jmb.tw/52bf

  • WillaNatch9876

    wooow unbelievable it I just got a 827.89 iPad2 for only 103.37 and my mom got a 1499.99 HTV for only 251.92, they are both coming tomorrow bu USPS. I would be an idiot to ever pay full retail prîces at places like Walmart or Bestbuy. I sold a 37″ HTV to my boss for 600 that I only paid  78.24 for. I use http://jmb.tw/52bf

  • Badass_sweet_007

    basically try to keep your Mac somewhere safe or best with you as often as possible plus back up your data 

  • Asdf2QWERF

    Unless you’re a doctor or a lawyer, don’t use file vault. Only bad things will come from it.

  • techn0lady

    FYI – You can not bypass the firmware password on the Intel Macs that have been out since ’09 or so .  The replace memory trick only works on the older PPC macs –

  • DavidWMartin

    Actually File Vault 2 works really well and I’m pleased with it so far, but of course I keep encrypted backups as well.

  • Jameslove7

    not true… Just did it on a new late 2011 iMac.

  • Sário Nunes

    And remember, the harder is to access your information, the harder will be to recover it if you have a problem and either u don’t have backups or time machine’s backups are corrupted…..

  • CryptonomiTom

    Also, you can keep your mac inside a closet, and then put a metal doorframe in the closet door, and then turn the frame into a super-magnet (in the usual way). Then, if the fuzz come and take your mac, they’ll carry it through the magnetized door frame and then all your hard disk are belong to us. Sorry, I mean they will be erased. 

About the author

David W. MartinDavid W. Martin has more than 20 years of experience in the industry as a programmer, systems and business analyst, author, and consultant. David has written for CNET's iPhoneatlas.com, MacLife.com, CultofMac.com, BYTE.com and recently for aNewDoman.net. He comes to Cult of Mac's website with deep knowledge and passion for the all things Apple. Follow David on Twitter @david_w_martin or see what he's up to now at davidwmartin.com.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in Mac, OS X, Tips & Tricks |