Tech giant Apple is known for its secure suite of software that powers its range of devices including the iPhone, iPad, Apple Watch, and the Mac. However, researchers have come out with a new revelation that suggests Apple’s Mac computers could be compromised right out-of-the-box. According to a report, this bug targets Mac devices that are part of Apple’s Device Enrollment Program (DEP) and Mobile Device Management (MDM) platform. It was showcased at the Black Hat security conference in Las Vegas, Nevada on August 9.
Let’s start off with detailing what the bug entails. A report by The Wired explains that a Mac, when it’s set up for the first time, checks on Apple’s servers to verify the serial number. If the server detects an enterprise computer, it automatically initiates a “predetermined setup interface” that follows a process involving Apple’s servers as well as the third-party MDM vendor’s.
Now, “certificate pinning”, a process to verify Web servers, is undertaken. However, there seems to be a vulnerability at one step in this process. The one where the MDM hands over the device’s identity to the Mac App Store in order to install relevant software and apps. At this process, researchers found out, “the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity”.
Thus, the report goes on to say, if a hacker were to somehow get in at this point and redirect users to their own portal, it could end up with the installation of spyware and malware on the victim’s computer ending up compromising their data. Furthermore, this victim computer could act as an entry point into other computers in the enterprise’s network. This is especially true for employees working from home, considering they are likely to use consumer-grade routers for Internet access.
While a bug indeed, it comes with its fair share of caveats. Firstly, carrying out such a sophisticated attack is difficult and expensive for average Web criminals. However, the bug does not escape the likes of well-motivated and well-funded online hackers. A valid Web certificate is also needed to carry out the plan, which is difficult to obtain.
Despite the bug, the researchers who performed the test have praised Apple’s application security considering Apple’s software kills any malicious apps after they have been installed on a Mac computer. Apple has already issued a patch for this issue with macOS High Sierra 10.13.6, however units shipping with an older version will still be vulnerable before the update is installed.