How An Ex-Hacker From The NSA Dominated Def Con Conference
A security researcher has demonstrated, at the recent Def Con security conference, that a Mac computer running Apple’s High Sierra operating system can be very easily hacked by simply tweaking two lines of the code.
This revelation was made by Patrick Wardle, an ex-NSA hacker, who is at present the Chief Research Officer at Digita Security. The Hacker News, in a report dated August 13, 2018, gives a detailed explanation of this vulnerability and its detection. The report says, “Your Mac computer running the Apple’s latest High Sierra operating system can be hacked by tweaking just two lines of code, a researcher demonstrated at the Def Con security conference on Sunday.”
The report further says- “Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.”
Patrick Wardle himself explains, “Via a single click, countless security mechanisms may be completely bypassed. Run the untrusted app? Click …allowed. Authorize keychain access? Click …allowed. Load 3rd-party kernel extension? Click …allowed. Authorize an outgoing network connection? Click …allowed.”
Wardle explains that users who are highly concerned with security might heed warnings and keep malicious codes at bay, but things get out of hand when the clicks are generated by a software program and not a human. Wardle says, “Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.”
Wardle explains that though OS vendors like Apple are aware of this attack vector and design their UI accordingly, they have failed in containing this hack. He explains, “Of course OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.”
The Hacker News further states, “macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks…Wardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse “down” event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between “allow” or “deny” and access sensitive data or features.”
Patrick Wardle is yet to publish the technical details of this vulnerability, which he says, is found in all recent versions of macOS and allows “unprivileged code to interact with any UI component including ‘protected’ security dialogues.” He explains that this vulnerability (CVE-2017-7150) can be used to “…programmatically bypass Apple’s touted ‘User-Approved Kext’ security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more!”
The vulnerability was detected by Wardle when copying and pasting the code. The Hacker News report says that Apple’s next version of macOS has already got what is needed to mitigate the threat. The report says-“However, the Apple’s next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events, which eventually reduces the scope of accessibility features on applications that legitimately use this feature.”
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.