Researchers Remote Hack Brand-New MacBook On Its Very First Boot
Macs used to have a persona of "no viruses or hacks" with many
Apple's latest 2018 MacBook models certainly aren’t immune from significant issues and flaws right out of the box. The high-end Core i9 version was hampered by thermal throttling out of the box that Apple blamed on a flaw in macOS, and a patch was later issued.
Researchers at the Black Hat security conference in Las Vegas demonstrated on Thursday that it is possible to remotely compromise a brand-new Mac computer the first time that it connects to WiFi. The hack targets Mac computers that use the Apple Device Enrollment Program (DEP) and its Mobile Device Management (MDM) platform. That pair of tools
The rub is that to operate both DEP and MDM require privileged access to make the custom setup work. The researchers who discovered this flaw are Jesse Endahl, the chief security officer at Fleetsmith, and Max Bélanger, an engineer at Dropbox. "We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time,"
The duo says that they notified Apple about the issue and that Apple released a fix for the attack in macOS High Sierra 10.13.6 last month. Owners of Macs should know that Mac systems manufactured before that fix was released are still vulnerable right out of the box. Endahl also points out that the MDM vendor that an enterprise chooses must fully support 10.13.6 to mitigate the vulnerability.
This attack could be leveraged by a nefarious user if the attacker was somehow able to hide between the MDM vendor website and the victim device with a man-in-the-middle attack. With such access, the attacker would be able to replace the
"One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Bélanger says. "This all happens very early in the device’s setup, so there aren’t really restrictions on what those setup components can do. They have full power, so they’re at risk of being compromised in a pretty special way."