Addressing Apple Target Disk Mode security concerns

On Apple computers, Target Disk Mode is a special boot option that allows the system's hard drives to be accessed with a FireWire cable (also with a Thunderbolt connection for newer systems). This mode can be enabled by restarting the system with the T key held down, until you see the FireWire symbol displayed on the screen. At this point you can connect the system to another Mac (or even a PC) and have its hard drives mount locally on the second system for quick access. This mode is exceptionally useful for troubleshooting, migrating accounts and data to a new computer, or even gaining quick access to a system's documents without fully booting the system; however, since it gives full access to the boot drive it creates some security concerns.

Recently CNET reader "Leonard" wrote in with such concerns about Target Disk Mode:

I've been reading through your internet security articles and am wondering whether or not there is a solution to a major Mac vulnerability. The "T" Target Hard-disk bootup allows anyone full access to all of a person's files. Is there a way to password-secure, or fully disable that access to the machine?

When you access a Mac's drive with Target Disk Mode, you are in essence turning the whole system into a large external drive that bypasses the security offered by the operating system on it. In all PC systems regardless of the make and OS used, the security is in the directory and permissions settings, and is enforced by the operating system's file-access services. If you rip the hard drive out and put it in another computer then you bypass the OS and can access all the files on the drive, which is essentially what you are doing in Target Disk Mode.

Security concerns about this are quite valid, especially since an unauthorized person with a FireWire or Thunderbolt cable and another Mac can quickly boot a system into Target Disk Mode and then copy the contents of the hard drive. Unfortunately Apple's systems by default allow for access with Target Disk Mode and other alternate boot options, but these can be managed in a couple of ways:

1. Enable a firmware password
   Apple's alternative boot options are enabled through keyboard commands at startup that tell the system's firmware to go into a specific mode or pass a specific condition to the OS X kernel when it boots up. To prevent this from happening, you can enable a firmware password to lock it down, which can be done by booting to the OS X installation DVD, and choosing Firmware Password Utility from the Utilities menu. In OS X Lion you can boot to the Recovery partition by holding Command-R at startup.

   After the password is enabled then the computer will no longer boot to Target Disk Mode until you disable the password (using this same utility). This password also prevents booting to secondary boot drives (which also will bypass the OS' security), resetting hardware parameters, and booting to alternate modes like Single User, Safe Mode, and Verbose Mode.

   Do keep in mind that the firmware password can be disabled by changing the system's hardware configuration (in other words by upgrading or downgrading RAM), so this approach does have its limitations; however, locking the computer chassis can help this.

2. Enable hard-drive encryption
   In OS X prior to Lion you could set up FileVault, which would encrypt your home folder in a dynamically resizing encrypted disk image. This setup had its limitations, so in Lion Apple implemented a volume management technology it calls CoreStorage, which allows for very dynamic volume setups (such as volume spanning), in addition to providing full-disk encryption at a sub-filesystem level so the OS is not even aware of or managing the encryption. This setup is very similar to that used by the open-source TrueCrypt encryption tool that has been a popular encryption option for Mac, Windows, and Linux users.

   In Lion, CoreStorage encryption can be enabled by turning off all FileVault accounts that were migrated from previous OS X versions, and then starting up FileVault again on the system in the Security system preferences, which will enable FileVault 2, as it has been labeled. With FileVault 2 enabled, the entire disk will now be highly encrypted and will not be accessible via Target Disk Mode (or even when physically removed it from the system) unless you first attach it to a system that supports CoreStorage and then provide a password to unlock the disk.

Watch this: Apple's Target Disk Mode: How to turn a Mac into an external hard drive

03:09

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.