Apple Mac attacks 'trivial', claims security researcher
- Published
- comments
Creating malicious software that can attack Apple Mac computers is "trivial", a leading security researcher has claimed.
Patrick Wardle, from security firm Synack, demonstrated several new types of malicious software that bypassed Apple's security measures.
In one example, Apple's own iCloud service could control an attack.
The threats are known to Apple, Mr Wardle said, but the company has not yet commented on the research.
Mr Wardle was speaking at Black Hat 2015, an annual gathering of hackers and security professionals held in Las Vegas.
He commended the company's efforts in working with him to make the platform more secure, saying that the Cupertino-based firm "got security".
But he argued that Apple's increased popularity means it is attracting extra attention from cybercriminals who would commonly focus on attacking computers running Microsoft's Windows.
While Windows is still overwhelmingly attackers' platform of choice, antivirus firm Kaspersky Labs recorded a surge in Apple malware in the past couple of years.
Bypassing
The past year has seen several high-profile malware - malicious software - attacks on the Mac operating system, OS X.
Among them, iWorm and WireLurker - the latter gaining a lot of media attention. However, Mr Wardle described such threats as "grade C+" due to a simple flaw: users could see if the malware was running, and disable it.
The attacks he detailed were far more hidden than anything that had been discovered so far.
"I'm convinced that OS X security is lacking," he told delegates.
"It's trivial to write new OS X malware that can bypass everything."
Addressing why he was making the vulnerabilities public, he said: "If I can do it, nation states and adversaries can and probably are doing it."
Some elements of the vulnerabilities he and other researchers have discovered have been found "in the wild", he said, the term given to threats being exploited on real users.
Trusted files
Mr Wardle's research focused considerably on one piece of Apple software known as Gatekeeper. This is a program which warns the user when they are opening a file that is not from a "trusted" source.
Its default setting is to only allow programs downloaded from Apple's App Store and trusted third-party developers.
This means, according to Apple's website: "If an app was developed by an unknown developer — one with no Developer ID — Gatekeeper can keep your Mac safe by blocking the app from being installed."
But his methods demonstrated a method of circumventing this protection, using "dynamic libraries" to inject malicious code into trusted programs.
iCloud malware
Mr Wardle had strong criticisms of Apple's built in antivirus program, XProtect. The software, which detects and blocks known malware, warning the user in the process, could be tricked by essentially renaming the malware.
The researcher also tested various different paid antivirus products on the market, and concluded that they suffer similar problems as XProtect.
In one case, he noted that some antivirus programs consider Apple's iCloud system - the online storage service it offers all users of its products - to be a "trusted" source.
This means Mr Wardle was able to use iCloud to host an attack's Command and Control server, the part of an attack that controls the malware's operation. Implicit trust of iCloud servers is a problem.
"Normally malware (on a user's computer) would have its outgoing network connections blocked since they are untrusted," explained Mr Wardle to the BBC.
"But if they go to iCloud, the security products let them out."
Apple love
Mr Wardle noted that Apple has been receptive to his research in the past, but that the methods he described were still vulnerable.
He has created free software - called Objective-See - to address the issues he outlined.
A request from the BBC to Apple has gone unanswered at the time of publication.
Mr Wardle said: "I've shared this with Apple, and they have patched or fixed some of the bugs.
"The problem is, in some cases their patches are insufficient, so I can bypass the patch.
"I always (first) share my research with Apple and only disclose details once they have released a patch."
Concluding his talk, Mr Wardle said his work was motivated by a love for Apple and its products.
"I don't think they love me," he added. "But I can handle that."
Follow Dave Lee on Twitter @DaveLeeBBC, external
- Published10 July 2015
- Published24 July 2015
- Published31 July 2015
- Published4 August 2015