Skip to main content

Ex-NSA staffer demonstrates malware bypassing security checks in High Sierra

Security research and former NSA staffer Patrick Wardle says that he will demonstrate on Sunday a set of automated attacks against macOS High Sierra, in which he is able to bypass security checks.

The checks are ones that ask the user to confirm that an app should be granted permission to do things like access contacts or location data …

He was quick to point out that the exploits would not allow an attacker initial access to a Mac. But it would effectively get around Apple’s sandboxing, to allow one malicious app to gain additional permissions.

Wired reports that the exploits rely on what’s known as ‘synthetic clicks,’ in which rogue code mimics a user clicking a button to grant a permission.

At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he’s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user’s machine, can bypass layers of security to perform tricks like finding the user’s location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.

“The user interface is that single point of failure,” says Wardle, who now works as a security researcher for Digita Security. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”

Wardle had previously achieved the same thing using accessibility features. Apple issued a patch to block this, and he then discovered a further workaround. Wardle says the greatest risk is that one rogue app can now potentially use this technique to take control of the kernel – something which ought to be impossible.

If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a target machine. Kernel extensions—like drivers in Windows—must be signed by a developer for MacOS to install them. But if an existing signed kernel extension has a security flaw, a piece of malware can install that extension and then exploit its flaw to take control of the kernel.

“A lot of advanced malware really tries to get into the kernel. It’s like god mode,” Wardle says. “If you can infect the kernel, you can see everything, bypass any security mechanism, hide processes, sniff user keystrokes. It’s really game over.”

It appears that the exploits are patched in Mojave.

Some are reporting that Apple also seems to be attempting to block synthetic clicks in macOS 10.13.6, though the extent to which this is successful is as yet unclear. We should learn more on Sunday.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear