Remote Mac hack relies on MDM bug Apple patched in latest macOS update
Researchers at the Black Hat security conference at Las Vegas intend to demonstrate an exploit in Apple's enterprise tools that lets well-equipped hackers compromise a Mac the first time it connects to Wi-Fi, though the bug has already been patched in the latest macOS High Sierra update.
As reported by Wired, Jesse Endahl, chief security officer at Mac management company Fleetsmith, and Dropbox staff engineer Max Blanger uncovered a bug in Apple's enterprise hardware management setup tools that can be used to gain remote access to a target Mac. The pair plan to demonstrate the exploit on Thursday.
Notably, hackers can -- with some difficulty -- construct a man-in-the-middle attack that downloads malware or other malicious software before a client logs in to a new Mac for the first time.
Apple's enterprise tools, the Device Enrollment Program and Mobile Device Management platform, work in tandem to provide an easy IT setup regimen for companies deploying a large number of devices to their workers.
With the help of firms like Fleetsmith, companies that take part in MDM programs can send employees new hardware directly from Apple. When an employee opens and logs in to their new Mac for the first time, it connects to Apple's servers, as well as those run by the MDM vendor, to retrieve a configuration manifest.
The Mac skips from server to server to pick up the assets provisioned to complete an automated setup process, one that ultimately results in a custom configured machine ready for integration with the MDM customer's infrastructure. Endahl and Blanger discovered a problem with Apple's certificate pinning, which authenticates web servers throughout the configuration process.
In particular, the researchers found a bug in Apple's MDM sequence that, when the process hands the machine over to the Mac App Store, fails to complete pinning to confirm the authenticity of an app download manifest, the report said. The hole provides an opportunity for hackers to install malicious code on a target Mac remotely and without alerting the end user.
"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they're logging in, by the time they see the desktop, the computer is already compromised."
While technically possible, would be hackers would need access to the right tools and privileges to make such an attack is feasible. For instance, Endahl was only able to demonstrate the vulnerability by using Fleetsmith's MDM privileges to set up a certified server and tainted payload. That said, a dedicated hacker -- or motivated government -- might be compelled to attempt the attack as it presents potential access to a corporation's entire network of managed Macs.
"One of the aspects that's scary about this is if you're able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Blanger said. "This all happens very early in the device's setup, so there aren't really restrictions on what those setup components can do. They have full power, so they're at risk of being compromised in a pretty special way."
Apple was notified of the exploit and issued a fix in the latest macOS High Sierra 10.13.6 update released last month, though users are still vulnerable. As noted by Wired, though the bug was addressed a month ago, there are likely many Macs that remain in channel inventory running older, un-patched versions of the operating system. Further, MDM firms processing Mac deployments also need to support the latest macOS 10.13.6 release to counter the exploit, according to Endahl and Blanger.
As reported by Wired, Jesse Endahl, chief security officer at Mac management company Fleetsmith, and Dropbox staff engineer Max Blanger uncovered a bug in Apple's enterprise hardware management setup tools that can be used to gain remote access to a target Mac. The pair plan to demonstrate the exploit on Thursday.
Notably, hackers can -- with some difficulty -- construct a man-in-the-middle attack that downloads malware or other malicious software before a client logs in to a new Mac for the first time.
Apple's enterprise tools, the Device Enrollment Program and Mobile Device Management platform, work in tandem to provide an easy IT setup regimen for companies deploying a large number of devices to their workers.
With the help of firms like Fleetsmith, companies that take part in MDM programs can send employees new hardware directly from Apple. When an employee opens and logs in to their new Mac for the first time, it connects to Apple's servers, as well as those run by the MDM vendor, to retrieve a configuration manifest.
The Mac skips from server to server to pick up the assets provisioned to complete an automated setup process, one that ultimately results in a custom configured machine ready for integration with the MDM customer's infrastructure. Endahl and Blanger discovered a problem with Apple's certificate pinning, which authenticates web servers throughout the configuration process.
In particular, the researchers found a bug in Apple's MDM sequence that, when the process hands the machine over to the Mac App Store, fails to complete pinning to confirm the authenticity of an app download manifest, the report said. The hole provides an opportunity for hackers to install malicious code on a target Mac remotely and without alerting the end user.
"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they're logging in, by the time they see the desktop, the computer is already compromised."
While technically possible, would be hackers would need access to the right tools and privileges to make such an attack is feasible. For instance, Endahl was only able to demonstrate the vulnerability by using Fleetsmith's MDM privileges to set up a certified server and tainted payload. That said, a dedicated hacker -- or motivated government -- might be compelled to attempt the attack as it presents potential access to a corporation's entire network of managed Macs.
"One of the aspects that's scary about this is if you're able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Blanger said. "This all happens very early in the device's setup, so there aren't really restrictions on what those setup components can do. They have full power, so they're at risk of being compromised in a pretty special way."
Apple was notified of the exploit and issued a fix in the latest macOS High Sierra 10.13.6 update released last month, though users are still vulnerable. As noted by Wired, though the bug was addressed a month ago, there are likely many Macs that remain in channel inventory running older, un-patched versions of the operating system. Further, MDM firms processing Mac deployments also need to support the latest macOS 10.13.6 release to counter the exploit, according to Endahl and Blanger.
Comments
Well, you get the drift.
Apple has bad approach and low quality testing and coding these days and that is fact I found out from buddy who just left their development team in Mac in Cupertino. We are from the same region in finance (NYC). You cannot afford to be that arrogant to business users in our area. That is why Apple is niche in it. You do test and support working sytuff or you are gone in no time.Updates and upgrades are rolled out in proper waves and timing - vendor can do this at any time but when something brakes they are "Johnny-on-thespot" and fix overnight or else. I know what was doen in Goldman Saxchs at the time an trust me even Microsoft had to bend and listen.
People who slam others with "always use the latest version for security reasons" generally don't have any concept of what others do with their systems, need from their systems, and can afford. Your absolutist position is NOT reasonable.
"...hackers would need access to the right tools and privileges to make such an attack is feasible."
Remove "is".
In a production environment this may be different, but then again I'd never recommend running macOS there. That is a Linux domain.
Amazing, someone's very first comment on AI was actually insightful and worthwhile. Thanks Scotius.
If you don't work in the data security industry or a similar subset of IT, then I guarantee I know more about this than you do. And Every single word you typed is raging, blathering idiocy, a sure sign of being an Apple hater lover who makes things up on the spot. Your OPINION about Apple’s quality is laughable, literally laughable.
See what I did there?
Stop projecting your own use cases on other people. You do this all the time and it makes you look stupid.