Remote Mac hack relies on MDM bug Apple patched in latest macOS update

As reported by Wired, Jesse Endahl, chief security officer at Mac management company Fleetsmith, and Dropbox staff engineer Max Bélanger uncovered a bug in Apple's enterprise hardware management setup tools that can be used to gain remote access to a target Mac. The pair plan to demonstrate the exploit on Thursday.

Notably, hackers can — with some difficulty — construct a man-in-the-middle attack that downloads malware or other malicious software before a client logs in to a new Mac for the first time.

Apple's enterprise tools, the Device Enrollment Program and Mobile Device Management platform, work in tandem to provide an easy IT setup regimen for companies deploying a large number of devices to their workers.

With the help of firms like Fleetsmith, companies that take part in MDM programs can send employees new hardware directly from Apple. When an employee opens and logs in to their new Mac for the first time, it connects to Apple's servers, as well as those run by the MDM vendor, to retrieve a configuration manifest.

The Mac skips from server to server to pick up the assets provisioned to complete an automated setup process, one that ultimately results in a custom configured machine ready for integration with the MDM customer's infrastructure. Endahl and Bélanger discovered a problem with Apple's certificate pinning, which authenticates web servers throughout the configuration process.

In particular, the researchers found a bug in Apple's MDM sequence that, when the process hands the machine over to the Mac App Store, fails to complete pinning to confirm the authenticity of an app download manifest, the report said. The hole provides an opportunity for hackers to install malicious code on a target Mac remotely and without alerting the end user.

"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they're logging in, by the time they see the desktop, the computer is already compromised."

While technically possible, would be hackers would need access to the right tools and privileges to make such an attack is feasible. For instance, Endahl was only able to demonstrate the vulnerability by using Fleetsmith's MDM privileges to set up a certified server and tainted payload. That said, a dedicated hacker — or motivated government — might be compelled to attempt the attack as it presents potential access to a corporation's entire network of managed Macs.

"One of the aspects that's scary about this is if you're able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Bélanger said. "This all happens very early in the device's setup, so there aren't really restrictions on what those setup components can do. They have full power, so they're at risk of being compromised in a pretty special way."

Apple was notified of the exploit and issued a fix in the latest macOS High Sierra 10.13.6 update released last month, though users are still vulnerable. As noted by Wired, though the bug was addressed a month ago, there are likely many Macs that remain in channel inventory running older, un-patched versions of the operating system. Further, MDM firms processing Mac deployments also need to support the latest macOS 10.13.6 release to counter the exploit, according to Endahl and Bélanger.