Vulnerability Allows for Remote Hacking of a Brand-New Mac During Setup Process

Apple’s rock-solid supply chain might be churning out new Macs that are already hacked.

According to a new report from Wired, researchers at the Black Hat security conference revealed an exploit that allows hackers to compromise a Mac the first time it connects to Wi-Fi. The bug targets Mac devices that are part of Apple’s Device Enrollment Program (DEP) and Mobile Device Management (MDM) platform.

Basically, the tools in question – Device Enrolment Program and Mobile Device Management – are used to let employees of an enterprise walk through the set-up of a Mac for enterprise. They can be used even when working from home or from different premises.

The tools allow companies to ship computers directly from Apple warehouses to employees. Devices will immediately configure to join the company ecosystem after connecting to Wi-Fi for the first time. The flaw, however, allows hackers to put malware onto the computers remotely, meaning that the computer is already compromised even before the user takes it out of the box and turns it on.

“We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time,” said Jesse Endahl, the chief security officer at the Mac management company Fleetsmith. “By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”

Wired explained how it works.

When a Mac turns on and connects to Wi-Fi for the first time, it checks in with Apple’s servers essentially to say, ‘Hey, I’m a MacBook with this serial number. Do I belong to someone? What should I do?’

If the serial number is enrolled as part of DEP and MDM, that first check will automatically initiate a predetermined setup sequence, through a series of additional checks with Apple’s servers and an MDM vendor’s servers. Companies typically rely on a third-party MDM facilitator to navigate Apple’s enterprise ecosystem. During each step, the system uses ‘certificate pinning,’ a method of confirming that particular web servers are who they claim. But the researchers found a problem during one step. When MDM hands off to the Mac App Store to download enterprise software, the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity.

If a hacker could lurk somewhere between the MDM vendor’s web server and the victim device, they could replace the download manifest with a malicious one that instructs the computer to instead install malware.

The researchers say they notified Apple about the issues. Apple fixed the vulnerability in macOS High Sierra 10.13.6, but devices that shipped with an older version of macOS may be vulnerable.

Read Wired‘s full report on the flaw here.