If you’re using a company-issued Mac running a version of Apple’s operating system prior to MacOS High Sierra 10.13.6, you will want to tell your system administrator to upgrade your OS to the latest version. At the Black Hat security conference in Las Vegas, researchers demonstrated a method where a malicious actor could remotely take control of a new Mac due to vulnerabilities with Apple’s corporate Device Enrollment Program (DEP) and Mobile Device Management (MDM) tools.
A new Mac could be compromised when it connects to a Wi-Fi network, security officer Jesse Endahl from Fleetsmith and Dropbox staff engineer Max Belanger discovered. Apple has since patched the security flaw last month when it released the MacOS 10.13.6 software update, so companies will want to migrate their Mac fleet to the latest software and not issue employees a Mac with a prior version of the OS out of the box.
“We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time,” Endahl told Wired. “By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”
Typically, when you begin setting up a Mac, the device communicates with Apple’s servers to identify itself. If Apple’s server recognizes that the Mac’s serial number is registered with the DEP, it will initiate an MDM configuration sequence. Most companies hire a Mac management firm, like Fleetsmith, to help facilitate MDM provisioning to allow Macs to download the necessary programs required by the company. For security, Apple employs certificate pinning to identify web servers, but when the MDM hands off to the Mac App Store to download enterprise apps, “the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity,” Wired reported.
This opens up a vulnerability where a malicious hacker could replace the original manifest with a malicious one. When this happens, the computer could be instructed to download malware, like keyloggers, spyware, cryptojacking software, or software that could monitor the corporate network and spread itself to other devices. “And once a hacker has set up the attack, it could target every single Apple computer a given company puts through the MDM process,” Wired said.
Though the attack cannot be easily pulled off, it still represents a dangerous vulnerability given that hackers can just target one Mac to gain entry into an entire corporate network. “The attack is so powerful that some government would probably be incentivized to put in the work to do it,” Endahl said.
