Experts told about a new way of hacking MacBook

The new MacBook, you can remotely hack at first boot.

Notebooks based on the macOS in enterprise networks can be hacked through the system’s mobile device management (MDM). Problem not the most simple to implement, however, according to the experts, who discovered the vulnerability, it is implemented for hackers working for the government.

Two security expert – Jess Endal (Jesse Endahl) of the company Fleetsmith and Max Bellange (Max Belanger),a Dropbox employee, demonstrated at the conference Black Hat, how to compromise a new Apple MacBook in a corporate environment when you first use them and you first connect to the local network.

The experts used the MDM Protocol is Apple to extract the manifest and the substitution requested by the victim to malicious applications.MDM allows corporate administrators to remotely manage devices based on the macOS and iOS, including install and uninstall apps, lock the device or reset them to factory settings.

Every time to the corporate network adds a new device, it gets the “profile settings”. This operation is performed automatically by the program Device Enrollment Program (DEP).

Computers running macOS automatically connect to MDM server during the first boot or after factory reset. The profile of the DEP, which is forwarded to the device, is formed on the MDM server automatically and includes information relating to the installation (the URL of the server certificates, etc.).

Using the InstallApplication command, administrators can install specialized applications. This command uses the URL-manifest, in response to receiving the XML file containing all the information necessary to install the application.

Experts have demonstrated that using a MitM attack in this Manifesto can be manipulated and, accordingly, to replace the installed applications. To make such an attack difficult, experts say, but is quite real – at least for professional criminals, including working for the secret services.

Apple has received information in April 2018 and the beginning of may confirmed the validity of the conclusions of Endal and Bellange. Updating macOS 10.13.6 this “bug” was fixed: the MDM-system of Apple now equipped with a team InstallEnterpriseApplication, which allows providers of MDM solutions to provide special certificates to bind a query to ManifestURL. Thus, the possibility of substitution application is removed.

“Laptops on the basis of the macOS are interested in all sorts of attacks because most likely in a corporate environment these will be used by policy makers, through which passes the key information, – said Oleg Galushkin, an expert on information security company SEC Consult Services. – Therefore, even if the execution of such attacks by ordinary hackers are inaccessible to underestimate the degree of threat from it is not worth it.”

© 2018, paradox. All rights reserved.