Tracking a stolen Macbook

Tuesday, May 13, 2008

A friend of mine recently had a Powerbook stolen when his home was burglarized. Even though he had serial numbers for most of the large items that were taken, the police told him there was little chance he would ever get back any of the items. Luckily no one was home during the incident. Having the security of your home violated sucks, but it is a little better if the thief gets caught and you get your stuff back.

A few years ago I read a story on Slashdot that described someone who happened to have a remote access program installed on his Mac and was able to use it to track down the thief after it was stolen. I had just bought a Macbook Pro and I decided that I needed a program to help me locate my new laptop if it were ever stolen. Being too cheap and not wanting to trust a commercial service, I chose to write my own scripts for this. Last weekend there was yet another article on Slashdot about recovering a stolen Macbook, so it seems to be a recurring topic and I hope this post helps someone looking for an inexpensive solution to this problem. Of course there are a few services that you can pay to help recover your Mac, but they all cost money and I think that's kind of like buying those extended warranties for electronics. The odds of it being worthwhile are so low you're better off just saving the money.

For Macbook owners a little upfront effort can greatly increase the probability of getting your Mac back if it's ever stolen. The most important thing you can do is keep regular backups of your important data. If you want to keep your data private then you can also turn on the "FileVault" feature to encrypt your files. My script might help recover your laptop but there are no guarantees. So enough with the narrative and on to the details.

UPDATE (May 16, 2011): Not long after I finished this post the Prey project was released. Since then it's rapidly matured and I'd recommend using it instead of my scripts. But please read on if you'd like to see the rest of the details of my original post.

The script is pretty simple. It checks a web page periodically which tells it whether everything is "normal" or that is has been "stolen". If it has been stolen you just change the web page and the script will start uploading details of the network it is connected to, along with pictures of the screen, and photos from the built-in iSight camera (like the one of Mr. Bunny here). The goal is that the network details will help the police locate the laptop and the photos will provide a positive identification of the thief.

Basic Requirements:
  1. A Mac with OS X 10.4, 10.5 or 10.6 (that's all I've tried so far).
  2. You need to be comfortable editing text files
    (TextEdit works fine if you set the "Format" to "Plain Text")
  3. You need to be have some knowledge of "Terminal"
  4. You need access to a web server that supports PHP scripts
  5. Optionally you need a server where you can run a Perl script
    (if you want to be able to ssh back into your missing Mac)

Setup steps:
  1. Download and install these scripts to your /Applications/Utilities/ folder
    checkin
    isightcapture
    tcpforward
  2. Make checkin executable
    You can do this in Terminal with the command
    "chmod +x /Applications/Utilities/checkin"
  3. Use TextEdit to edit checkin so the variables are appropriate for your installation
  4. Make checkin run periodically by creating the .plist file in /Library/LaunchDaemons/checkin.plist
  5. Download and edit the variables in filetransfer.php and then copy it to your web server. (it needs to be configured with your email address and the folder path where it will save uploaded files)
  6. On the web server make sure the folder where the uploaded files are saved is writable by the web server
    "chmod a+rwx path/to/folder/"
  7. Use TextEdit to create a file named macbook-checkin with only the word "normal" in it. Then copy it your web server.

How to use it:

If your Mac is stolen (or to test it) change the word "normal" to "stolen" in the macbook-checkin file on your web server. Then every 20 minutes it will upload files to your web server.

If you want to login to the Mac with ssh run this command on the server you configured as the TUNNELHOST in the checkin script

"perl tcpforward -l TUNNEL_HOST_IP:26969 -l TUNNEL_HOST_IP:26922"

This lets the checkin script create the reverse TCP tunnel to get you past most firewalls. After the checkin script runs the next time you will be able to login with this command.

"ssh -p 26922 TUNNEL_HOST_IP"

(of course you'll want to change TUNNEL_HOST_IP and the ports so that they are correct for your setup)


That's it! Hopefully you'll never need to use it, but it's nice to know it's there if you needed it.

11 comments:

Miss J said...

Nice post, Ben!xo J

jody said...

I love that you check your cameras with a bunny.

wmstr said...

I agree - cool thing!
You could also enter serial number for stolen mac here:

http://www.mark-up.com/stolen/report-apple-stolen.htm

Ervin said...

i interesting with your post. i am new using mac, is it work on mac os snow leopard 10.6 ? or maybe need some update?

thx before

Ben said...

This has been working for me since 10.4. It got some minor updates for 10.5 and continues to work fine on 10.6. Since the scripts are documented and open it's a good idea to read the files and make any changes that make sense for your personal environment.

Tim said...

Hi Ben,

I can't seem to get this to run automatically. I've created the .plist file exactly as described.

Tim

djchrisblew said...

What id ur macbook has allready been stolen can u do that exactly but from another mac or pc?

chris blew
djchrisblew@gmail.com

djchrisblew said...

oops i mean what if it has allready been stolen?

cmholm said...

djchrisblew, if your laptop has already taken a walk, and you don't have 'Back To My Mac' or some other similar method for reaching out and touching your system, you're probably toast. Even if you had left it with ssh login enabled, the core problem is that you don't know the IP address.

If the thief uses your IM account and you can spot it, it's sometimes possible to use a bit of social engineering to get them to connect to you directly, so that netstat or similar tools can capture the address.

freespinner said...

Hi Ben,
I am trying to get this awesome system of yours working. I am having a couple of difficulties.

I cant seem to get the testfile to upload to the web-server, and the ssh tunnel working.

I have a qnap110 server running a web-server and it has php and perl running so they are working.

I am testing over a local network so access to the server from the test machine is easy. Snow on mac, checkin.txt reads "macbook" status on server OK then runs the interrogation ok - but then it fails to send the file to the filetransfer.php on the server... Any ideas?

pkclSoft said...

Another free option, though slightly different is the open-source app iAlertU (http://sourceforge.net/projects/ialertu/).

There is also an iPhone app that allows you to connect to your Mac remotely and get images from the webcam (http://www.pkclsoft.com/pkclsoft/ualertme.html) which isn’t free, but is close enough to being so.