https://github.com/usnistgov/macos_security

loads of commands that could be added to this guide !

new security issue for m1 Mac

It is possible to put a MacBook Pro with Apple Silicon into DFU mode without requiring a password, according to my understanding. This could potentially allow a hacker with physical access to the device to load malware firmware or wipe the device. In the past, firmware passwords were used on Intel-based Macs to prevent this type of attack. However, it is unclear what measures are currently in place to prevent such an attack on Apple Silicon Macs.

One way an attacker could exploit this vulnerability is by modifying the firmware to insert malicious code and then signing it with a fake Apple signature. The attacker could then put the MacBook Pro into DFU mode and load the malicious firmware onto the device.
It is not clear why there are no safeguards in place to prevent this type of attack on Apple Silicon Macs.

However, it is unclear what measures are currently in place to prevent such an attack on Apple Silicon Macs.

Enabling FileVault is enough for Apple Silicon chips. See https://support.apple.com/en-us/HT204455

Looks like a good addition to the guide, or at least a reference to it - please make a PR for review. Thank you!

So you only want a updated part for Apple Silicon chips?

So you only want a updated part for Apple Silicon chips?

Yep, I think that's the most relevant platform for this guide.

So just to be clear - Full Security and FileVault prevent this for Apple silicon Macs?

So just to be clear - Full Security and FileVault prevent this for Apple silicon Macs?

Full security is default. See my link from
#420 (comment)

So just to be clear - Full Security and FileVault prevent this for Apple silicon Macs?

Full security is default. See my link from #420 (comment)

Yeah but I mean, does it solve the OP's concern about being able to put macOS into DFU mode without a password? Just wondering if my PR would close this issue.

new security issue for m1 Mac

It is possible to put a MacBook Pro with Apple Silicon into DFU mode without requiring a password, according to my understanding. This could potentially allow a hacker with physical access to the device to load malware firmware or wipe the device. In the past, firmware passwords were used on Intel-based Macs to prevent this type of attack. However, it is unclear what measures are currently in place to prevent such an attack on Apple Silicon Macs.

One way an attacker could exploit this vulnerability is by modifying the firmware to insert malicious code and then signing it with a fake Apple signature. The attacker could then put the MacBook Pro into DFU mode and load the malicious firmware onto the device. It is not clear why there are no safeguards in place to prevent this type of attack on Apple Silicon Macs.

Ok so, it's possible to put a Mac into DFU mode without a password but it will erase everything. This is called "restore". You can keep your files if you have the FileVault password, this is called "revive". This is intentional behavior. On Apple silicon Macs, you can't load malicious firmware onto it because it uses the root of trust burned into it in the factory to verify that the firmware is signed by Apple. You can't just make a "fake Apple signature" because it's based on public key cryptography; you'd need Apple's private key or it won't work.

As for the NIST link, it tries to cover several different threat models and it is constantly updated, this guide would get outdated very quickly if it tried to follow it. I think we could link to it in the intro, something like "If you're securing computers for an organization, follow the official NIST guidelines:" I think that would be better since someone like that probably needs to be using that rather than this guide.