"TL;DR: all recent macOS devices are no longer safe to use if left alone, even if you have them powered down.
The root of trust on macOS is inherently broken
They can bruteforce your FileVault2 volume password
They can alter your macOS installation
They can load arbitrary kernel extensions"
Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours.
"The IP Box costs less than £200 and can guess all possible four-digit passwords in 111 hours.
The device bypasses the secure wipe triggered by ten bad guesses by "aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory." "
"By reverse engineering ProTrack and iTrack's Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up.
At that point, the hacker said he brute-forced "millions of usernames" via the apps' API. Then, he said he wrote a script to attempt to login using those usernames and the default password. "