MacOS – How to prevent storing the WiFi password on the recovery partition

filevaultmacosrecovery-hdSecurity

I always wondered how my Mac could connect to the internet when the recovery partition is booted and my main system partition is locked (filevault2).

Some googling revealed today (e.g. here, here,
and also on askdifferent) that the WiFi password is apparently stored in NVRAM and that needs to be reset to remove the password. As a security conscious person this is unacceptable to me. When using Full Disk Encryption (i. e. Filevault2) I expect the system to be safe, also against my network.

So is there a way to prevent OS X from making the password available in the recovery partition? I am not sure how or when it gets into NVRAM in the first place.

UPDATE1:
The NVRAM contains the following keys: (nvram -p) :

BootCampHD
SystemAudioVolume
SystemAudioVolumeDB
aht-results
backlight-level
bluetoothActiveControllerInfo
bluetoothInternalControllerInfo
boot-gamma
efi-apple-recovery
efi-boot-device
efi-boot-device-data
fmm-computer-name
good-samaritan-message
gpu-policy
prev-lang:kbd

The keys efi-apple-recovery and efi-boot-device look like they could contain encrypted data.

Best Answer

I've always wondered the same thing: how to keep OS X from storing the WPA passphrase (or PSK) in NVRAM.

Using 'nvram' I could never find the variable that I thought held these credentials. Today, I tried booting to a USB live image of Linux and running Chipsec. Its command to list EFI variables has many more results than I was getting by running nvram within OS X. Among the variables in my MacBook Pro (mid-2010) were:

  • current-network
  • preferred-networks
  • security-password

The current-network variable's data includes the SSID of my home router, in plaintext. Then it is padded with 0-bytes up until the end, which is 32 bytes, and represents the 64 hex digits of the Pre-Shared Key (PSK).

The preferred-networks variable looks like the same contents as current-network.

The security-password variable holds exactly the same number of bytes as the EFI password I set, so I assume this is the Firmware Lock password. I suspect it uses some kind of masking/encoding. One theory I had is that these passwords are stored as keyboard scan codes or something, but I don't have enough info yet.

Perhaps using Chipsec or another EFI tool, you can zero out these EFI variables and set an access control / permissions flag on them so that they cannot be rewritten. Perhaps even just zeroing them out will be a workaround for you (if you just need to resell the laptop or something). It's unknown to me whether OS X rewrites them regularly or just when you change your WPA credentials.

EDIT: I just learned of a command for retrieving wifi passwords from NVRAM: /usr/libexec/airportd readNVRAM

Also, by attaching the GUID, nvram can actually read these values:

  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network
  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks
  • nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count

So, maybe you can blow those variables away and see how it goes.

EDIT 2: as mentioned by an earlier comment, the method to delete an EFI variable is as follows (sudo required to delete): sudo nvram -d 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network

It's unclear as of yet whether the variable will return.

Related Question