Security Researchers Take Control From Hacking A Brand New Mac During First Setup Process

Giant technology Apple is known for its security software suite that powers its device lineup, including the iPhone, iPad, Apple Watch, and the Mac. However, researchers have released a new revelation that suggests that Apple’s Mac computers could be compromised as soon as they are released. According to one report, this bug targets Mac devices that are part of Apple’s device recruitment (DEP) and mobile device management (MDM) program. It was presented at the Black Hat Security Conference in Las Vegas, Nev., On August 9th.

Let’s start by detailing what the bug entails. A report from The Wired Explains a Mac, when configured for the first time, checks the Apple servers for the serial number. If the server detects a corporate computer, it automatically launches a “predetermined configuration interface” that follows a process involving Apple’s servers as well as the third-party MDM provider.

From now on, “Certificate Pinning”, a process of checking web servers, is undertaken. However, there seems to be a vulnerability at one stage of this process. The one where the MDM transmits the device’s identity to the Mac App Store in order to install relevant software and applications. During this process, the researchers discovered that “the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the authenticity of the manifesto.”

So, the report goes on, if a hacker had to somehow intervene at this point and redirect users to their own portal, this could lead to the installation of spyware and malware on the computer of the victim, compromising their data. In addition, this victim computer could serve as an entry point into other computers in the corporate network. This is especially true for employees working from home because they are likely to use mainstream routers to access the internet.

Although it is indeed a bug, it has many reservations. First, performing such a sophisticated attack is difficult and expensive for average cybercriminals. However, the bug does not escape well-motivated and well-funded hackers. A valid web certificate is also needed to execute the plan, which is difficult to obtain.

Despite the bug, the researchers who did the test praised the security of Apple’s applications by considering that Apple’s software kills all malicious applications after they are installed on a Mac computer. Apple has already released a patch for this issue with macOS High Sierra 10.13.6, but devices shipped with an older version will remain vulnerable before installing the update.

Compsmag