Security researchers at the Black Hat conference in Las Vegas have demonstrated a method of taking control of a brand new Mac as it makes its first Wi-Fi connection.

A vulnerability in the way Macs handle Mobile Device Management allowed them to install unlimited malware on the machine prior to its owner even seeing the desktop for the first time …

The hack is by no means easy. It requires a Man in the Middle attack of a machine purchased by a corporation which uses MDM tools to install enterprise apps. But while it’s not an attack that could be used by casual hackers, it is something that could be employed by rogue states.

Wired explained how it works.

When a Mac turns on and connects to Wi-Fi for the first time, it checks in with Apple’s servers essentially to say, “Hey, I’m a MacBook with this serial number. Do I belong to someone? What should I do?”

If the serial number is enrolled as part of DEP and MDM, that first check will automatically initiate a predetermined setup sequence, through a series of additional checks with Apple’s servers and an MDM vendor’s servers. Companies typically rely on a third-party MDM facilitator to navigate Apple’s enterprise ecosystem. During each step, the system uses “certificate pinning,” a method of confirming that particular web servers are who they claim. But the researchers found a problem during one step. When MDM hands off to the Mac App Store to download enterprise software, the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity.

If a hacker could lurk somewhere between the MDM vendor’s web server and the victim device, they could replace the download manifest with a malicious one that instructs the computer to instead install malware.

That malware could not only include things like key-loggers and screen-grabbers, but could also include tools that look for vulnerabilities in the entire corporate network.

The issue was identified by Jesse Endahl, chief security officer of the Mac management firm Fleetsmith, and Max Bélanger, a staff engineer at Dropbox.

“One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle,” Bélanger says. “This all happens very early in the device’s setup, so there aren’t really restrictions on what those setup components can do. They have full power, so they’re at risk of being compromised in a pretty special way” […]

“The attack is so powerful that some government would probably be incentivized to put in the work to do it,” Endahl says.

As is usual with responsible researchers, the pair notified Apple of the vulnerability and allowed the company time to fix it before disclosing the method. The fix was rolled out in macOS 10.13.6 last month, so now only machines with older versions installed remain vulnerable.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear