Researchers at the Black Hat security conference revealed an exploit that allows hackers compromise a Mac the first time it connects to Wi-Fi.
The Apple supply chain is one of the most protected manufacturing operations in the world but, according to a report in Wired, this may not always be enough to prevent a compromise.
Jesse Endahl, chief security officer at the Mac management company Fleetsmith, and Max Bélenger, staff engineer at Dropbox, revealed details of a bug in some Mac set-up tools.
Enterprise Macs affected
The tools in question – Device Enrolment Program and Mobile Device Management – are used to let employees of an enterprise walk through the set-up of a Mac for enterprise. They can be used even when working from home or a different premises.
The tools allow for companies to ship computers directly from Apple warehouses to employees. Devices will immediately configure to join the company ecosystem after connecting to Wi-Fi for the first time.
Endahl said: “We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time.
“By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”
How does the bug work?
Hackers can basically create a man-in-the middle attack that can download malware or other malicious files. This can be done before a client even logs in to a new enterprise Mac for the first time.
Researchers found that Macs using Mobile Device Management to ascertain which apps need to be installed had no certificate pinning to verify an app download manifest. A manifest lets the machine know what apps to download and where to install them. This flaw allows for the possible installation of malicious code.
While the exploit is technically achievable, hackers would require access to the correct tools and privileges to make it practical to carry out.
Dedicated cyber-criminals or governments could be compelled to attempt the attack, as it presents the chance to access a company’s entire network.
Apple already armed with a patch
Apple released a fix in macOS High Sierra 10.13.6 in July, but this does not totally solve the issue. Devices that have already been built and run on an earlier OS will still be vulnerable to attack.
The researchers also implored mobile management vendors that help companies set up the Apple enterprise scheme must also support the latest OS. This will help mitigate the problem.
“One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle,” added Bélanger.
“This all happens very early in the device’s set-up, so there aren’t really restrictions on what those set-up components can do. They have full power, so they’re at risk of being compromised in a pretty special way.”