Apple works hard to keep its software secure. Beyond the basic protections that prevent malware infections in the first place, the company’s engineers also built several defense-in-depth methods designed to reduce the damage that can happen once a Mac is compromised. Now, Patrick Wardle, a former National Security Agency hacker and macOS security expert has revealed a critical flaw that affects many of these secondary safeguards.
In a presentation at the Def Con hacker conference in Las Vegas over the weekend, Wardle said it’s not necessary for a single domain attack or malware to bypass many security measures by targeting them at the user interface level. When these security systems detect a malicious activity, they will block that activity and then display an alert or warning. By exploiting various programming interfaces built into macOS, malicious code can generate a system input to interact or even remove such alerts. This “synthetic press,” as Wardle called it, works almost immediately and can be done in a way that is invisible to the user.
“The ability to synthetically interact with thousands of security triggers allows you to perform a variety of malicious actions,” Wardle told Ars. “Many of Apple’s secrets and security-in-depth defenses can be unreasonably compromised.”
With the ability to generate synthetic keys, an attacker, for example, could bypass many Apple-related security requirements. On recent versions of macOS, Apple has added a confirmation window that requires users to click the OK button before an installed app can access local area, contacts, or calendar information stored on the Mac. Apple engineers added the requirement to act as the next security. Even if a machine is infected by malware, the thinking goes, a malicious application will not be able to copy this sensitive data without the owner’s express permission.
Although many of Apple’s security alerts attempt to detect and ignore synthetic clicks, Wardle discovered that secret alerts, even on a fully updated High Sierra system, are not secure. “What’s the point of showing an alert, if the malware can be easily removed?” he asked.
In the past, malware has exploited such synthetic inputs to perform various malicious actions. For example, the sneaky Genio adware, the DevilRobber money-mining malware, and the deceptive Fruitfly malware that stole millions of images from infected Macs over a 13-year period all used synthetic keys to bypass security-in-depth warnings.
Apple responds to these counterfeit products by improving the security of its operating system. Now, in recent versions of macOS, security alerts and triggers will ignore synthetic events. At least that’s the idea. In his presentation, Wardle first described how an attacker could exploit a macOS feature called “mouse buttons” that will convert keyboard strokes to mouse movements. Mouse buttons allow a user to move the mouse up, down, right or left, or in diagonal directions by pressing certain buttons as pictured below:
However, Wardle describes how an attacker or malware can also use “mouse key” events to generate synthetic mouse clicks that will be captured, even by “protected” security alerts. After creating a proof-of-concept attack that could compromise and remove the keychain access token and expose a user’s unencrypted passwords and private keys, he reported the issue to Apple, which issued an additional update to patch like CVE-2017-7150. Now “mouse keys” are ignored by security alerts, and keychain access always requires a user password.
But even after Apple issues the patch, the warnings can still go through. While testing an older attack, Wardle mistakenly copied and pasted some code. Without realizing the error, he ran the code, which was amazing for him to send synthetic clicks to the security alerts, even on a full high Sierra system. Digging deeper, he found that his buggy code was sending two mouse “down” events (instead of the typical mouse down, mouse up event).
“The system converts a second mouseover event to a mouseup event” he notes. “But since this mouse-up event is generated by the system, it allows you to interact with security prompts.” As a result of this issue, Wardle is able to completely bypass warnings when doing many things that have serious security and privacy consequences. The worst is navigating Apple’s new security system designed to prevent system loading of “kexts,” which are kernel extensions that run with the base of macOS.
Apple representatives did not respond to an email seeking comment for this post. Wardle, for his part, said the bypass raised questions about how the company rolled out the improvements. “I didn’t try to find a gateway, but I discovered a way to completely break the basic security mechanism,” said Wardle, who is the developer of the program. Purpose-See Mac tools and head of research at Digita Security. “If the security system falls down so easily, don’t they test this? I’m almost ashamed to talk about it.”
This post has been rewritten for clarity and grammar corrections.