A brand-new Mac can be hacked remotely during its first Wi-Fi connection

Apple MacBook-review-lid
Bill Roberson/Digital Trends

If you’re using a company-issued Mac running a version of Apple’s operating system prior to MacOS High Sierra 10.13.6, you will want to tell your system administrator to upgrade your OS to the latest version. At the Black Hat security conference in Las Vegas, researchers demonstrated a method where a malicious actor could remotely take control of a new Mac due to vulnerabilities with Apple’s corporate Device Enrollment Program (DEP) and Mobile Device Management (MDM) tools.

A new Mac could be compromised when it connects to a Wi-Fi network, security officer Jesse Endahl from Fleetsmith and Dropbox staff engineer Max Belanger discovered. Apple has since patched the security flaw last month when it released the MacOS 10.13.6 software update, so companies will want to migrate their Mac fleet to the latest software and not issue employees a Mac with a prior version of the OS out of the box.

“We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time,” Endahl told Wired. “By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”

Typically, when you begin setting up a Mac, the device communicates with Apple’s servers to identify itself. If Apple’s server recognizes that the Mac’s serial number is registered with the DEP, it will initiate an MDM configuration sequence. Most companies hire a Mac management firm, like Fleetsmith, to help facilitate MDM provisioning to allow Macs to download the necessary programs required by the company. For security, Apple employs certificate pinning to identify web servers, but when the MDM hands off to the Mac App Store to download enterprise apps, “the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity,” Wired reported.

This opens up a vulnerability where a malicious hacker could replace the original manifest with a malicious one. When this happens, the computer could be instructed to download malware, like keyloggers, spyware, cryptojacking software, or software that could monitor the corporate network and spread itself to other devices. “And once a hacker has set up the attack, it could target every single Apple computer a given company puts through the MDM process,” Wired said.

Though the attack cannot be easily pulled off, it still represents a dangerous vulnerability given that hackers can just target one Mac to gain entry into an entire corporate network. “The attack is so powerful that some government would probably be incentivized to put in the work to do it,” Endahl said.

Computing

Just when you thought spam was dead, it’s back and worse than ever

Spam emails might seem like an outdated way to spread malware, but in 2018 they are proving to be the most effective attack vector thanks to new techniques and tricks.
Emerging Tech

Police body cams are scarily easy to hack into and manipulate, researcher finds

Nuix cybersecurity expert Josh Mitchell has demonstrated how it is possible to hack into and potentially manipulate footage from police body cams. The really scary part? It's shockingly easy.
Gaming

Storytelling masterpiece ‘Gone Home’ is headed to the Nintendo Switch

Fullbright's acclaimed first-person adventure game Gone Home will arrive to Nintendo Switch later this month. The game is available now on PC, Mac, Linux, PlayStation 4, and Xbox One.
Smart Home

White-hat Chinese hackers turn Alexa into a spy, briefly

A team of Chinese researchers revealed this week that they were able to use a cracked Amazon Echo to exploit a series of Alexa interface flaws to take control over an unteuched Echo running on the same network.
Computing

Windows 10 can split and resize windows with ease. Here's how to do it

Windows 10 is a great desktop operating system, and its many window management features are part of the reason why. Here's how to divvy up windows using Snap Assist and other native tools.
Computing

Apple AR glasses will launch in 2020, says respected industry analyst

Apple AR glasses may be closer to reality than we thought. Here is everything we know so far about the augmented reality system, including the rumored specifications of Apple's Project Mirrorshades.
Photography

A turn for the better: Loupedeck+ adds custom dials, more to Lightroom console

The Loupedeck+ improves on the original Lightroom console by adding welcome customization options and introducing support for Skylum Aurora HDR. What's even better is that it does this all at an even lower price.
Social Media

How to use Adobe Spark Post to spice up your social media images

Images are proven to get more likes than plain text -- but only if those images are good. Adobe Spark post is an AI-powered design program for non-designers. Here's how to use it to take your social media feeds to the next level.
Mobile

Google One subscriptions offer more cloud storage for low prices, other perks

Can't get enough storage on Google Drive, Photos, or Gmail? Google One is the new way to boost your cloud storage. But it's not just about more space -- Google One comes with a loads of benefits.
Computing

Intel serves up ‘Bean Canyon’ NUCs revved with ‘Coffee Lake’ CPUs

Looking for a super-compact PC for streaming media that doesn’t break the bank? Intel updated its NUC family with its new “Bean Canyon” kits. Currently, there are five with a starting price of $300 packing eighth-generation Intel Core…
Deals

Save hundreds with the best MacBook deals for August 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Computing

Lost without 'Print Screen'? Here's how to take a screenshot on a Chromebook

Chrome OS has a number of built-in screenshot options, and can also be used with Chrome screenshot extensions for added flexibility. You have a lot of options, but learning how to take a screenshot on a Chromebook is easy.
Computing

Gaming on a laptop has never been better. These are your best options

Gaming desktops are powerful, but they tie you down to your desk. For those of us who prefer a more mobile experience, here are the best gaming laptops on the market, ranging from budget machines to maxed-out, wallet-emptying PCs.
Computing

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement, or an unwanted trip to your local repair shop.