Genius Bar Security Shortcomings

Here’s a little story about Apple’s Genius Bar and security.

I recently took my MacBook Air to the Apple Store in Covent Garden to be repaired (keyboard, obvs). A few days after taking it in I received a phone call. I was told that the repair was almost complete, the only thing left to do was to run some diagostic tests to ensure that the repair was successful. To run these tests Apple would need firmware access which requires a password. I was then asked to supply my firmware password over the phone. I hesitated and eventually declined to supply it. The person then suggested that I can come in to the store to either enter my password manual or write it on a scrap of paper or just skip the diagonstics. (The diagnostics would take 2-3 hours so I decided to skip the tests rather than kill time. Also, if there are any more problems I could just take it back in.)

I asked some friends about this and heard a similar story: Apple asked for the password when he took his machine in and they proceeded to store it in plain text in the repair notes. Obviously these are only 2 very small data points but my guess is that they are indications of a systematic shortcoming rather than individual employees not following process.

I’m not a security expert so I’m not in a position to fulling desect the shortcomings here. I do know, however, that:

• you should never give your password over the phone (and by extension should never ask for it)
• passwords management needs to be more robust than scraps of paper or plain text

In the grand scheme of things these aren’t big problems but Apple can, and given their stance of privacy and security should, do better.

Finally, here’s the chat I had with Apple Support (on re-reading I think I come off as unnecessarily indignant):