Security Researcher Demonstrates Taking Control Of A New Mac On Its First Wi-Fi Connection

We’re all familiar with how Macs are resistant to malware and viruses. However, this may not always be the case as a security researcher has demonstrated, at the Black Hat conference in Las Vegas, a method through which he took control of a brand new Mac. More to the scenario is that the installation of unlimited malware took place on the device’s first-ever Wi-Fi connection. So let’s dive in to see some more details on the vulnerability.

A Vulnerability Discovered In macOS Allows Researcher To Take Control Of Mac On First Wi-Fi COnnection

A vulnerability discovered in the Mobile Device Management on a Mac allowed the researcher to install unlimited malware. Moreover, the malware was installed before the owner could even see the desktop. However, while the vulnerability exists, it isn’t easy to perform the hack. Requiring a Man in the Middle attack on a Mac which was purchased by a corporation using MDM tools in order to install enterprise apps.

Here’s how Wired explains it:

"When a Mac turns on and connects to Wi-Fi for the first time, it checks in with Apple’s servers essentially to say, “Hey, I’m a MacBook with this serial number. Do I belong to someone? What should I do?”

If the serial number is enrolled as part of DEP and MDM, that first check will automatically initiate a predetermined setup sequence, through a series of additional checks with Apple’s servers and an MDM vendor’s servers. Companies typically rely on a third-party MDM facilitator to navigate Apple’s enterprise ecosystem. During each step, the system uses “certificate pinning,” a method of confirming that particular web servers are who they claim. But the researchers found a problem during one step. When MDM hands off to the Mac App Store to download enterprise software, the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity.

If a hacker could lurk somewhere between the MDM vendor’s web server and the victim device, they could replace the download manifest with a malicious one that instructs the computer to instead install malware."

The malware is not potentially capable of actions like screen-grabbers and key-loggers, but it also constitutes of tools which could possibly find vulnerabilities in the entire network of a corporation. Identified by Jesse Endahl, Fleetsmith’s chief security officer of Mac management along with Max Bélanger, who is a staff engineer at Dropbox.

“One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle,” Bélanger says. “This all happens very early in the device’s setup, so there aren’t really restrictions on what those setup components can do. They have full power, so they’re at risk of being compromised in a pretty special way” […]

“The attack is so powerful that some government would probably be incentivized to put in the work to do it,” Endahl says.

The researchers have notified Apple of the given vulnerability and it’s just a matter of time when Apple fixes it. as it has been the case in the past. While the fix has already been rolled out in macOS 10.13.6, it still needs to be fixed on devices running an older version of the firmware.

There will be more to the story, so be sure to stay tuned in for more details.