Apple’s rock-solid supply chain might be churning out new Macs that are already hacked.
Getting a brand new Mac usually means you’re getting the freshest, most bug-free system possible, but security researchers have discovered that there’s a way to hack brand new Macs before they’ve even been turned on.
The attack takes advantage of enterprise Macs using Apple’s Device Enrollment Program (.pdf) and its Mobile Device Management platform. The enterprise tools allow companies to completely customize a Mac shipped to an employee straight from Apple. However, a flaw in the system allows attackers to put malware on the Macs remotely.
Hacking enterprise Macs
Jesse Endahl, chief security officer of Mac management firm Fleetsmith, and Max Bélanger, a staff engineer at Dropbox, will demonstrate the Mac security flaw today at the Black Hat security conference in Las Vegas.
“We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time,” Endahl says. “By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”
Endahl and Bélanger discovered that when enterprise Macs use MDM to see which apps to install off the Mac App Store, there is no certificate pinning to verify the manifest’s authenticity. Hackers could use a man-in-the-middle exploit to install malicious apps to access data. Making matters worse, the flaw could be used to hack an entire company’s computers.
The researchers say they notified Apple about the issues. Apple fixed the vulnerability in macOS High Sierra 10.13.6, but devices that shipped with an older version of macOS may be vulnerable.