Security researchers at the Black Hat conference in Las Vegas have demonstrated a method of taking control of a brand new Mac as it makes its first Wi-Fi connection.
A vulnerability in the way Macs handle Mobile Device Management allowed them to install unlimited malware on the machine prior to its owner even seeing the desktop for the first time …
The hack is by no means easy. It requires a Man in the Middle attack of a machine purchased by a corporation which uses MDM tools to install enterprise apps. But while it’s not an attack that could be used by casual hackers, it is something that could be employed by rogue states.
Wired explained how it works.
When a Mac turns on and connects to Wi-Fi for the first time, it checks in with Apple’s servers essentially to say, “Hey, I’m a MacBook with this serial number. Do I belong to someone? What should I do?”
If the serial number is enrolled as part of DEP and MDM, that first check will automatically initiate a predetermined setup sequence, through a series of additional checks with Apple’s servers and an MDM vendor’s servers. Companies typically rely on a third-party MDM facilitator to navigate Apple’s enterprise ecosystem. During each step, the system uses “certificate pinning,” a method of confirming that particular web servers are who they claim. But the researchers found a problem during one step. When MDM hands off to the Mac App Store to download enterprise software, the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity.
If a hacker could lurk somewhere between the MDM vendor’s web server and the victim device, they could replace the download manifest with a malicious one that instructs the computer to instead install malware.
That malware could not only include things like key-loggers and screen-grabbers, but could also include tools that look for vulnerabilities in the entire corporate network.
The issue was identified by Jesse Endahl, chief security officer of the Mac management firm Fleetsmith, and Max Bélanger, a staff engineer at Dropbox.
“One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle,” Bélanger says. “This all happens very early in the device’s setup, so there aren’t really restrictions on what those setup components can do. They have full power, so they’re at risk of being compromised in a pretty special way” […]
“The attack is so powerful that some government would probably be incentivized to put in the work to do it,” Endahl says.
As is usual with responsible researchers, the pair notified Apple of the vulnerability and allowed the company time to fix it before disclosing the method. The fix was rolled out in macOS 10.13.6 last month, so now only machines with older versions installed remain vulnerable.