At the beginning of the year, I bought a new M2 MacBook Air for ¥220,800 (about 1,500 USD) on Apple Japan’s online store. Thanks to me not bothering to set up Find My, it’s now a worthless brick. To add insult to injury, I had paid ¥77,619 (500 USD) to have said brick returned to me. Apple could theoretically unbrick it, but refuses to do so. Don’t make the same mistake I did, and make sure you turn on Find My.
Swapping MacBooks at airport security
This all happened because I went through airport security. As one is required to do, I removed my Midnight Blue MacBook Air from my backpack, put it on a tray, and after it went through airport security, I picked it up again.
Or so I thought. About 30 minutes before my flight was boarding, I pulled out my laptop to do some last minute work. But when I opened it up, a stranger’s profile greeted me. Evidently we had swapped laptops going through security. So I raced back, and returned the stranger’s laptop, and explained the situation.
While security managed to identify the stranger’s flight, it had already taken off. I filled out the airport’s lost item form, and boarded the plane crestfallen. I hoped I’d recover the laptop, but to prepare for the worst, ordered another new MacBook using the plane’s wifi. I could always return it if my original MacBook was returned.
An email from the United Arab Emirates
A bit over a week after I lost my MacBook, I received an email from someone in the United Arab Emirates saying they had my laptop and asking if I had theirs. I don’t know how they found me, but I told them I had returned theirs to airport security, and asked for mine back.
They agreed to send it back, but seemed a bit clueless as to how to return it. Part of this may have been because they didn’t have a fluent English ability. While it was a bit ambiguous to me who should be responsible for paying for the return from a moral perspective, it became clear the only way I’d get it back is if I ordered a courier to pick it for them.
There was a lot of back and forth between us. But after about a month after receiving the initial email from the stranger, a package arrived from the UAE. Getting it delivered was quite expensive. DHL ended up charging me ¥66,519, which was more than the initial estimate they gave me. I also needed to pay ¥11,100 of import duties on it - it didn’t seem to matter that the MacBook was mine.
A box filled with exotic scents and crushed dreams
I eagerly opened the box, which had a distinctly exotic scent - perfume or spices, I couldn’t quite place it. Sure enough, there was a bubble wrapped Midnight Blue MacBook Air. Opening it up, there was a Japanese keyboard. Everything good so far.
Booting it up, something was a bit strange though. Rather than being greet by my login screen, I saw “Activate Mac”, and was prompted to select a wifi network. I did this, and then was shown an “Activation Lock” screen.
This Mac is linked to an Apple ID. Enter the Apple ID and password that was previously used with this Mac. p·····@icloud.com
Weird. My Apple ID uses my tokyodev.com email address, not an iCloud one. There was an option to “Use Device Password”.
Enter the password that was previously used to unlock this Mac.
I entered my password.
The operation couldn’t be completed. The password for this Mac can no longer be used to remove Activation Lock. The password was entered incorrectly too many times.
Uh oh. What do I do now, I thought to myself. Some searching brought up Apple’s documentation about how to remove Activation Lock.
If you need help removing Activation Lock and have proof of purchase documentation, you can start an Activation Lock support request.
I bought the MacBook from Apple, and so I thought this should be straightforward enough. I went through their support request form, attaching the invoice their online store gave me. Then I waited.
Apple refuses to disable the Activation Lock for me
After two weeks of waiting, I got fed up, and contacted Apple’s normal support about it. Their support representative was able to confirm that I had submitted a request to disable the activation lock, but the team responsible for that had rejected my request the same day (but I didn’t receive any notification about it).
The support representative wanted to really make sure of everything, and included having them use remote access on my iPhone. They were surprised to see that the locked MacBook was showing up in my list of iCloud devices, but a different iCloud account was showing up on the unlock screen of the MacBook. Eventually, they concluded there might have been a problem with how I submitted the support request. It asked for the purchase date. I entered the 請求日 (invoice date) whereas they thought I should have entered the 注文日 (order date). These were both in the receipt, but whatever, I submitted another request.
Four days later I received an email about the first activation lock request.
We are unable to process your request at this time.
Ten days since I received that email, I still have not received any update on my second unlock request.
How did it get locked in the first place?
It remains a mystery as to how the Activation Lock got activated in the first place. I have a couple of theories though.
I set up Find My with an Apple ID that I don’t remember
That the iCloud address starts with a “p”, my first initial, is haunting me. Could it be that I somehow created an iCloud address when first setting up the MacBook? I certainly don’t remember doing this though.
Furthermore, Apple ID requires you to have a phone number associated with the account, and only allows one phone number per account. My own phone number is already connected to my tokyodev.com account, so I would have needed to set it up with a different one, which seems impossible.
The stranger wiped my MacBook, set it up for themselves, and turned on Find My
The stranger did take an awfully long time to return my MacBook. Maybe this was because they were using it for themselves until their own was returned. If I hadn’t set up Find My for the MacBook, they should have been able to wipe it themselves. When they set it up for themselves, they could have set up Find My, and now the Activation Lock would be enabled.
If they then reported the device as lost, Activation Lock should have been turned on. Furthermore, Apple explicitly states that they won’t remove the activation lock for devices in Lost Mode.
I suppose this is theoretically possible. I did ask them if they recognized the icloud address, but they didn’t. The only way this makes any sense is if they were being malicious, but I doubt that’s the case.
There’s a bug with Activation Lock
Apple’s T2 Security Chip allows a maximum of 90 unlock attempts. If those attempts are exhausted, access to the disk should be unrecoverable, but it should be possible to wipe the MacBook by starting it in recovery mode.
I tried doing this, but when doing so, I’m prompted to disable the Activation Lock. This is the expected behavior if Find My had been activated, but not if it wasn’t.
The stranger could have tried to brute force my password. Eventually they exhausted the unlock attempts. What if there’s a bug in this case, and somehow the system is prompting me to unlock it via a non-existent Apple ID. My username starts with a “p”, so I could theoretically see a programmer using a
[email protected] address as a placeholder.
It seems unlikely that such a bug would slip through, but it is certainly possible. I’d love for someone at Apple to prove me wrong by explaining what actually happened.
The problem with being too secure
I get why Apple doesn’t want to tell me why they’re rejecting my requests to disable the activation lock, as it would help an attacker figure out how they might get a stolen MacBook unlocked.
I also understand that they must receive a lot of requests in relation to MacBooks that people bought “used”, and so they want to minimize their time spent actually reviewing the requests.
But come on! I bought the MacBook from Apple. I’m clearly the owner. They presumably can see that my Apple ID is associated with it. The only case I can think of where they legitimately shouldn’t unlock it is if I sold it to someone else and then stole it back from them.
With removing the Activation Lock, I could only wipe the MacBook anyways. There’s no one’s data at stake. Surely in a case like this, it’s better to let me wipe it.
Simultaneously being this strict and allowing MacBooks to be set up without turning on Find My creates a channel for abuse. An attacker could “prank” someone by wiping their MacBook, activating it with their own Apple ID, and then reporting it as lost. The victim then has no way to recover it.
Since Apple isn’t able to handle legitimate requests to disable the Activation Lock like mine, you should turn on Find My on your own MacBook, or risk it becoming a brick like mine.