Tracking a stolen Macbook

Tuesday, May 13, 2008

A friend of mine recently had a Powerbook stolen when his home was burglarized. Even though he had serial numbers for most of the large items that were taken, the police told him there was little chance he would ever get back any of the items. Luckily no one was home during the incident. Having the security of your home violated sucks, but it is a little better if the thief gets caught and you get your stuff back.

A few years ago I read a story on Slashdot that described someone who happened to have a remote access program installed on his Mac and was able to use it to track down the thief after it was stolen. I had just bought a Macbook Pro and I decided that I needed a program to help me locate my new laptop if it were ever stolen. Being too cheap and not wanting to trust a commercial service, I chose to write my own scripts for this. Last weekend there was yet another article on Slashdot about recovering a stolen Macbook, so it seems to be a recurring topic and I hope this post helps someone looking for an inexpensive solution to this problem. Of course there are a few services that you can pay to help recover your Mac, but they all cost money and I think that's kind of like buying those extended warranties for electronics. The odds of it being worthwhile are so low you're better off just saving the money.

For Macbook owners a little upfront effort can greatly increase the probability of getting your Mac back if it's ever stolen. The most important thing you can do is keep regular backups of your important data. If you want to keep your data private then you can also turn on the "FileVault" feature to encrypt your files. My script might help recover your laptop but there are no guarantees. So enough with the narrative and on to the details.

UPDATE (May 16, 2011): Not long after I finished this post the Prey project was released. Since then it's rapidly matured and I'd recommend using it instead of my scripts. But please read on if you'd like to see the rest of the details of my original post.

The script is pretty simple. It checks a web page periodically which tells it whether everything is "normal" or that is has been "stolen". If it has been stolen you just change the web page and the script will start uploading details of the network it is connected to, along with pictures of the screen, and photos from the built-in iSight camera (like the one of Mr. Bunny here). The goal is that the network details will help the police locate the laptop and the photos will provide a positive identification of the thief.

Basic Requirements:
  1. A Mac with OS X 10.4, 10.5 or 10.6 (that's all I've tried so far).
  2. You need to be comfortable editing text files
    (TextEdit works fine if you set the "Format" to "Plain Text")
  3. You need to be have some knowledge of "Terminal"
  4. You need access to a web server that supports PHP scripts
  5. Optionally you need a server where you can run a Perl script
    (if you want to be able to ssh back into your missing Mac)

Setup steps:
  1. Download and install these scripts to your /Applications/Utilities/ folder
    checkin
    isightcapture
    tcpforward
  2. Make checkin executable
    You can do this in Terminal with the command
    "chmod +x /Applications/Utilities/checkin"
  3. Use TextEdit to edit checkin so the variables are appropriate for your installation
  4. Make checkin run periodically by creating the .plist file in /Library/LaunchDaemons/checkin.plist
  5. Download and edit the variables in filetransfer.php and then copy it to your web server. (it needs to be configured with your email address and the folder path where it will save uploaded files)
  6. On the web server make sure the folder where the uploaded files are saved is writable by the web server
    "chmod a+rwx path/to/folder/"
  7. Use TextEdit to create a file named macbook-checkin with only the word "normal" in it. Then copy it your web server.

How to use it:

If your Mac is stolen (or to test it) change the word "normal" to "stolen" in the macbook-checkin file on your web server. Then every 20 minutes it will upload files to your web server.

If you want to login to the Mac with ssh run this command on the server you configured as the TUNNELHOST in the checkin script

"perl tcpforward -l TUNNEL_HOST_IP:26969 -l TUNNEL_HOST_IP:26922"

This lets the checkin script create the reverse TCP tunnel to get you past most firewalls. After the checkin script runs the next time you will be able to login with this command.

"ssh -p 26922 TUNNEL_HOST_IP"

(of course you'll want to change TUNNEL_HOST_IP and the ports so that they are correct for your setup)


That's it! Hopefully you'll never need to use it, but it's nice to know it's there if you needed it.